Unpatched IE Hole Swarmed

Flaw is used to flood infected machines

The newest zero-day flaw in the Microsoft Windows implementation of Vector Markup Language, or VML, is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.

Less than 24 hours after researchers at Sunbelt Software discovered an active malware attack against fully patched versions of Windows, virus hunters said the Web-based exploits are serving up botnet-building Trojans and installations of ad-serving spyware.

"This is a massive malware run," said Roger Thompson, chief technology officer at Atlanta-based Exploit Prevention Labs. In an interview with eWeek, Thompson confirmed the drive-by attacks are flooding infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.

The laundry list of malware programs seeded on Russian porn sites also includes a dangerous keystroke logger capable of stealing data from computers and a banker Trojan that specifically hijacks log-in information from financial Web sites.

According to Sunbelt Software researcher Eric Sites, the list of malware programs includes VirtuMonde, an ad-serving program that triggers pop-ups from Microsofts Internet Explorer; Claria.GAIN.CommonElements, an adware utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and tool bars and variants of the virulent Spybot worm.

eWeek has confirmed the flaw—and zero-day attacks—on a fully patched version of Windows XP Service Pack 2 running IE 6.0. There are at least three sites hosting the malicious executables, which are being served up on a rotational basis.

In some cases, a visit to the site turns up an error message that reads simply: "Err: this user is already attacked."

The attack is closely linked to the WebAttacker do-it-yourself spyware installation tool kit. On one of the maliciously rigged Web sites, the attack code even goes as far as referencing the way Microsoft identifies its security patches, confirming fears that a well-organized crime ring is behind the attacks.

The URL thats serving up the exploit includes the following: "MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a zero-day that will trigger a quick patch from Microsoft.

A Microsoft spokesperson said the Redmond, Wash., company is aware of the public release of detailed exploit code that could be used to exploit this vulnerability. "Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the users system. Microsoft is aware of limited attacks that attempt to exploit the vulnerability," the spokesperson said in a statement sent to eWeek.

The company plans to ship an IE patch as part of its October batch of updates due Oct. 10. An emergency, out-of-cycle patch could be released if the attacks escalate.

Microsoft has added signature-based detection to its Windows OneCare anti-virus product. A formal security advisory with prepatch workarounds has been published.