|
The wave of zero-day attacks against a gaping hole in Microsoft's Internet Explorer browser appears to have subsided, but in the absence of a patch, security experts warn that the risk remains significant.
During the weekend of March 25-26, malware hunters discovered more than 200 unique URLs using the unpatched IE flaw to launch drive-by downloads of bots, spyware, back doors and other Trojan downloaders.
However, according to Microsoft's security response personnel, the attack pattern has leveled off.
"Right now, it's not spreading. A lot of the attack sites have been taken down," said Stephen Toulouse, program manager for Microsoft, in Redmond, Wash.
An interview from Microsoft's specially created "situation room," Toulouse said the software maker has worked aggressively with law enforcement authorities and partners in the Virus Information Alliance to identify and disable the malicious sites hosting the exploits.
Microsoft initially said in an updated advisory that the attacks were "limited in scope" and were being launched from by malicious Web sites. Several legitimate sites that have been hijacked for nefarious use. These include an airline ticketing system, an insurance sales site and a site that sells e-commerce software.
In most of the attacks, the exploits are dropping a variant of SDbot, a type of back-door attack that gives hackers complete control of infected computers. SDbot allows attackers to control victims' computers remotely by sending specific commands via IRC (Inter Relay Chat) channels. It has been used to seed botnets and plant keystroke loggers for use in identity theft attacks.
According to Dan Hubbard, senior director of security and technology research at Websense Security Labs, in San Diego, his company's honeyclient crawler was capturing up to 10 new malicious URLs every hour during the high point of the attacks.
"We believe these attacks are coming from a limited number of people. The code is very similar on all sites with the exception of the upload and download location," Hubbard said.
Hubbard warned that the threat of an escalation should not be discounted, because of the risk of infection by simply browsing to a rigged Web site. "[I think] that additional attacks will occur with different payloads. Most of the time with these zero-days, it common that groups modify the shellcode to do major damage," he added.
Jose Nazario, software and security engineer at Arbor Networks, based in Lexington, Mass., said the initial list of 200 infected URLs included many false positives because the automated crawlers were finding Web sites that used the vulnerable "createTextRange()" method call in legitimate ways.
"A lot of sites were mistakenly flagged as attack sites," Nazario said. "We were able to whittle it down to about three dozen URLs actually hosting the malicious code."
Those URLs mapped to about 18 unique IP addresses, said Nazario, who tracks malicious activity on the widely read Worm Blog.
Nazario's research team also found that the bulk of the shellcode used in the exploits was identical, confirming suspicions that a small group is responsible for the attack.
"Compared to where we were with the WMF attacks late last year, we can confirm that this one is very limited in scope," he said.
In addition to working on a patch, Microsoft's Toulouse said generic protections and malware removal signatures have been added to the Windows Live Safety Center to help users clean up from infections.
Microsoft is mulling a plan to release an emergency update to correct the flaw, but Toulouse stressed that the company's priority is to ensure that the patch passes rigorous quality assurance testing.
The company has already released an advisory with interim workarounds for customers running IE on supported versions of Windows 2000, Windows XP and Windows Server 2003.
In the absence of a patch, Microsoft recommends that IE users configure the browser to prompt before running Active Scripting, or disable Active Scripting in the Internet and Local intranet security zone.
In addition, IE users can set Internet and Local intranet security zone settings to "High" to prompt before Active Scripting in these zones.
While Microsoft works on a patch for a critical Internet Explorer 6 script vulnerability that can allow a hacker to take control of a Windows PC, another firm has beaten Microsoft to the punch, releasing its own fix for the problem.
The new patch from eEye Digital Security is not meant to replace the forthcoming Microsoft patch, but it does provide immediate protection in lieu of an available fix. It is designed to remove itself automatically when Microsoft's official patch becomes available.
Microsoft's official patch might not be released until next month, according to a blog posting on the company's security site.
The notice states that the company has seen only limited numbers of attacks targeting the newly found flaw and that an Internet Explorer 6 update will be released as soon as it is ready. Currently, Microsoft's plan is to prepare the fix in time for its next set of monthly patches, due to be released in early April.
Meanwhile, the software giant has introduced an Internet Explorer feedback database in an effort to collect information on potential bugs found in the beta version of Internet Explorer 7.
The company noted on the Internet Explorer site that customers have requested a better way to alert Microsoft to bugs. For now, visitors to the feedback database will need a Microsoft Passport to view or report browser problems, although Microsoft plans eventually to allow anonymous access to the site.
The feedback site is for Internet Explorer 7 and future versions the browser. Once IE7 has shipped, the site will be used to gather feedback so Microsoft can improve future iterations.
Bugs can be marked either as public or private. A public bug can be viewed by anyone who goes to the feedback database, enabling those who discover the same issues to evaluate them and know that they are entered.
Forrester analyst Paul Stamp suggested that, given the ongoing problems associated with Internet Explorer, both security-related issues and those involving basic navigation, Microsoft needs a forum for input from users.
"Browsers are so complex now that there are more bases to cover," he said. "And because Microsoft went years before taking a proactive approach to Explorer bugs, there will be more flaws cropping up."
As for the current vulnerability, security experts have noted that, while the flaw is serious, those wishing to exploit it would have to entice users to click a link that takes them to a specially crafted Web site. In addition, for a PC to be affected, it must be running in administrator mode.
The vulnerability is exploitable via Web surfing, e-mail, and instant messaging, and several versions of the exploit are already in the wild and are being used actively by hackers, eEye reported.
Those whose accounts are configured to have fewer user rights are less vulnerable than users who operate their PCs with full admin rights turned on. Currently, there have been numerous reports of this vulnerability being used in attempts to install spyware and remote control "bot" software for use in distributed denial-of-service (DDoS) attacks.
The recommended action required to protect systems against this exploit is to disable Active Scripting from within Internet Explorer.
This can be done by opening the Internet Options settings listed in Internet Explorer's Tools menu, clicking on the Security tab, selecting the Internet zone, and clicking on the Custom Level option. The active-scripting setting is available toward the end of the list.
Related Items:
|
