Spyware, Bots, Rootkits Flooding Through Unpatched IE Hole

The latest zero-day flaw in Microsoft's Internet Explorer browser is being used to dump a massive collection of bots, Trojan downloaders, spyware and rootkits on infected Windows machines.

The newest zero-day flaw in the Microsoft Windows implementation of the Vector Markup Language is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an active malware attack against fully patched versions of Windows, virus hunters say the Web-based exploits are serving up botnet-building Trojans and installations of ad-serving spyware.

"This is a massive malware run," says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also includes a dangerous keystroke logger capable of stealing data from computers and a banker Trojan that specifically hijacks log-in information from financial Web sites.

According to Sunbelt Software researcher Eric Sites, the list of malware programs includes VirtuMonde, an ad-serving program that triggers pop-ups from Internet Explorer; Claria.GAIN.CommonElements, an adware utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and tool bars and variants of the virulent Spybot worm.

eWEEK has confirmed the flaw—and zero-day attacks—on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three sites hosting the malicious executables, which are being served up on a rotational basis.

In some cases, a visit to the site turns up an error message that reads simply: "Err: this user is already attacked."

The attack is closely linked to the WebAttacker do-it-yourself spyware installation tool kit. On one of the maliciously rigged Web sites, the attack code even goes as far as referencing the way Microsoft identifies its security patches, confirming fears that a well-organized crime ring is behind the attacks.

The URL thats serving up the exploit includes the following: "MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a zero-day that will trigger a quick patch from Microsoft.

A Microsoft spokesman said the company is aware of the public release of detailed exploit code that could be used to exploit this vulnerability. "Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the users system. Microsoft is aware of limited attacks that attempt to exploit the vulnerability," the spokesman said in a statement sent to eWEEK.

The company plans to ship an IE patch as part of its October batch of updates due Oct. 10. An emergency, out-of-cycle patch could be released if the attacks escalate.

Microsoft has added signature-based detection to its Windows OneCare anti-virus product. A formal security advisory with pre-patch workarounds will be posted within the next 24 hours.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.