Drive-By IE Attacks Subside; Threat Remains

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The wave of zero-day attacks against a gaping hole in Microsofts Internet Explorer browser appears to have subsided, but in the absence of a patch, security experts warn that the risk remains significant.

During the weekend of March 25-26, malware hunters discovered more than 200 unique URLs using the unpatched IE flaw to launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.

However, according to Microsofts security response personnel, the attack pattern has leveled off.

“Right now, its not spreading. A lot of the attack sites have been taken down,” said Stephen Toulouse, program manager for Microsoft, in Redmond, Wash.

In an interview with eWEEK from Microsofts specially created “situation room,” Toulouse said the software maker has worked aggressively with law enforcement authorities and partners in the Virus Information Alliance to identify and disable the malicious sites hosting the exploits.

Microsoft initially said in an updated advisory that the attacks were “limited in scope” and were being launched from by malicious Web sites, but eWEEK has seen a list of legitimate sites that have been hijacked for nefarious use. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.

/zimages/4/28571.gifClick here to read more about the wave of attacks against Internet Explorer, and Microsofts possible emergency patch.

In most of the attacks, the exploits are dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.

According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, in San Diego, his companys honeyclient crawler was capturing up to 10 new malicious URLs every hour during the high point of the attacks.

“We believe these attacks are coming from a limited number of people. The code is very similar on all sites with the exception of the upload and download location,” Hubbard said.

/zimages/4/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

Hubbard warned that the threat of an escalation should not be discounted, because of the risk of infection by simply browsing to a rigged Web site. “[I think] that additional attacks will occur with different payloads. Most of the time with these zero-days, it common that groups modify the shellcode to do major damage,” he added.

Jose Nazario, software and security engineer at Arbor Networks, based in Lexington, Mass., said the initial list of 200 infected URLs included many false positives because the automated crawlers were finding Web sites that used the vulnerable “createTextRange()” method call in legitimate ways.

Next Page: False positives and real danger.

False Positives and Real

Danger”>

“A lot of sites were mistakenly flagged as attack sites,” Nazario said. “We were able to whittle it down to about three dozen URLs actually hosting the malicious code.”

Those URLs mapped to about 18 unique IP addresses, said Nazario, who tracks malicious activity on the widely read Worm Blog.

Nazarios research team also found that the bulk of the shellcode used in the exploits was identical, confirming suspicions that a small group is responsible for the attack.

“Compared to where we were with the WMF attacks late last year, we can confirm that this one is very limited in scope,” he said.

In addition to working on a patch, Microsofts Toulouse said generic protections and malware removal signatures have been added to the Windows Live Safety Center to help users clean up from infections.

Microsoft is mulling a plan to release an emergency update to correct the flaw, but Toulouse stressed that the companys priority is to ensure that the patch passes rigorous quality assurance testing.

The company has already released an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003.

In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting, or disable Active Scripting in the Internet and Local intranet security zone.

In addition, IE users can set Internet and Local intranet security zone settings to “High” to prompt before Active Scripting in these zones.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.