Hackers Compromise Legit Web Sites to Target Microsoft IE Flaw

Microsoft reported a significant increase in the number of users infected with malware targeting a vulnerability in Internet Explorer widely reported last week. The flaw affects all supported editions of IE.

Hackers have begun compromising Web sites to infect vulnerable computers with malware that exploits a zero-day flaw in Internet Explorer revealed last week.

Microsoft reported a significant increase in the number of infected users over the weekend, and researchers at Trend Micro estimated about 6,000 sites had been infected. The move is a shift in tactics for hackers, who had been relying on rogue Web sites to propagate their malware.

"Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability," according to a posting on the Microsoft Malware Protection Center (MMPC) blog. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday."

So far, the compromised sites have run the gamut, ranging from a popular search engine in Taiwan - now reportedly clean - to various pornography sites.

"We recently found a Web site in Hong Kong that serves various content including adult entertainment," according to the MMPC blog. "Users who hoped to watch that content, became target of those attacks: specifically, the exploit dropped Trojans that we detect as Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ."

Other compromised sites included a Chinese sporting goods site with a traffic rank of close to 7 million. According to Trend Micro, the site contained HTML code that directed users to a remote site with malicious script. The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are HTML_IFRAME.ZM, JS_DLOADER.QGV and HTML_AGENT.CPZZ, according to Trend.

"Obfuscated JavaScript in the HTML Web pages are also detected as JS_DLOAD.MD, the same malicious script found to exploit the zero-day vulnerability in IE7," Trend Micro's Mayee Corpin wrote on the company's security blog.

Exploits for the zero-day, which affects all versions of Internet Explorer (IE), began to proliferate last week shortly after Microsoft's monthly Patch Tuesday release. The vulnerability lies in the way the browser handles DHTML Data Bindings.

While Microsoft has not issued a patch, the company has released information on a number of workarounds to help users protect themselves, including setting the Internet security zone to -High' and disabling XML Island functionality.