Crackers Unleash Spyware Tactics on IE Holes

Recent attacks exploiting Internet Explorer's weaknesses have begun compromising Web servers and using them as platforms to install Trojans, keyloggers and other malware with the goal of stealing personal and financial data.

The rash of recent attacks exploiting vulnerabilities in Microsoft Corp.s Internet Explorer browser is evidence that crackers are adopting tactics favored by spyware purveyors and could just be the beginning of a wave of highly targeted, well-engineered attacks, security experts say.

Because of its market dominance and its much publicized security holes, IE has long been a favorite target of crackers looking for a quick way to gain control of a users machine. To date, most of those attacks required users to take some action such as opening an e-mail message or visiting a malicious Web site.

Now attackers have begun compromising Web servers and using them as platforms to install Trojans, keyloggers and other malware with the goal of stealing personal and financial data.

Last week, for example, a pop-up ad on a compromised Web site silently installed a Trojan on visitors machines, which then dropped a BHO (Browser Helper Object) that watched for outbound secure connections to a preset list of banking sites.

That Trojan included a keylogger to record data sent over the secure connection before encryption. The data was then sent to a remote machine, presumably controlled by the attacker.

This attack vector is one thats been used to install spyware for some time, but security analysts said last weeks attack is the first instance theyve seen of crackers using this technique.

"Spyware has been using these same methods for some time now, and I think that theyre rather well-known," said Tom Liston, the analyst who did the original analysis of this malware for The SANS Institutes Internet Storm Center, in Bethesda, Md. "The extent of the work involved in setting this up—apparently compromising a few Web sites—leads me to believe that this was a more professionally done hack. Theyll be back."

A similar attack a week earlier took advantage of compromised Web servers to install a different Trojan via two vulnerabilities in IE. These incidents, combined with the string of vulnerabilities that plague IE, have pushed some users to the breaking point.

During a debate between Microsofts Scott Charney and security researcher Dan Geer at the Usenix Annual Technical Conference here last week, audience members called for more diversity in operating systems. Other Microsoft customers said the company needs to start over with IE.

/zimages/6/28571.gifInternet Explorer is too risky to use, Steven J. Vaughan-Nichols warns. Click here to read more.

"Trustworthy Computing has done nothing in regards to IE. I can confidently say IE is in a worse position with the type of exploits today than ever," said Mark Deason, network administrator at Silverside Equipment Inc., in Reno, Nev., which is testing Mozilla Firefox for enterprise deployment. "Blended attacks using obscure functionality are becoming commonplace, hence the recent attention."

Charney, however, rejected repeated assertions that forcing the user base to use different browsers or operating systems would have much effect on the state of security.

"To say that diversity will solve the problem of confidence or integrity isnt true," said Charney, chief security strategist at Microsoft, of Redmond, Wash. "If a very small percent of machines can have an effect [when theyre compromised], wed have to diversify not into two but into millions. Its not really clear to me how that would work in practice."

/zimages/6/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis. Be sure to add our security news feed to your RSS newsreader or My Yahoo page: /zimages/6/19420.gif