Drive-By IE Attacks Subside; Threat Remains

The weekend wave of zero-day attacks against Internet Explorer users has leveled off, but experts continue to flag the risk as critical because a patch is not yet available.

The wave of zero-day attacks against a gaping hole in Microsofts Internet Explorer browser appears to have subsided, but in the absence of a patch, security experts warn that the risk remains significant.

During the weekend of March 25-26, malware hunters discovered more than 200 unique URLs using the unpatched IE flaw to launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.

However, according to Microsofts security response personnel, the attack pattern has leveled off.

"Right now, its not spreading. A lot of the attack sites have been taken down," said Stephen Toulouse, program manager for Microsoft, in Redmond, Wash.

In an interview with eWEEK from Microsofts specially created "situation room," Toulouse said the software maker has worked aggressively with law enforcement authorities and partners in the Virus Information Alliance to identify and disable the malicious sites hosting the exploits.

Microsoft initially said in an updated advisory that the attacks were "limited in scope" and were being launched from by malicious Web sites, but eWEEK has seen a list of legitimate sites that have been hijacked for nefarious use. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.

/zimages/4/28571.gifClick here to read more about the wave of attacks against Internet Explorer, and Microsofts possible emergency patch.

In most of the attacks, the exploits are dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.

According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, in San Diego, his companys honeyclient crawler was capturing up to 10 new malicious URLs every hour during the high point of the attacks.

"We believe these attacks are coming from a limited number of people. The code is very similar on all sites with the exception of the upload and download location," Hubbard said.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Hubbard warned that the threat of an escalation should not be discounted, because of the risk of infection by simply browsing to a rigged Web site. "[I think] that additional attacks will occur with different payloads. Most of the time with these zero-days, it common that groups modify the shellcode to do major damage," he added.

Jose Nazario, software and security engineer at Arbor Networks, based in Lexington, Mass., said the initial list of 200 infected URLs included many false positives because the automated crawlers were finding Web sites that used the vulnerable "createTextRange()" method call in legitimate ways.

Next Page: False positives and real danger.