TrendLabs has recently received reports of a malicious JavaScript taking advantage of a relatively old Internet Explorer vulnerability to donwload an information stealing spyware. However, what is notable is that the said script uses a “Heap Feng Shui” library, which was initially discussed as a proof of concept during BlackHat Europe ‘07 (read the white paper here).

The JavaScript, which Trend Micro detects as JS_HACK.AG, attempts to take advantage of an IE vulnerability discussed in Microsoft Security Bulletin MS06-067 by importing a heap overflow library named heapLib.js (detected by Trend Micro as TROJ_Generic). Successful exploitation of the vulnerability allows JS_HACK.AG to download TSPY_AGENT.AAVG.

This is not the first time the “Heap Feng Shui” technique was used by a malware. Last June, a Trojan bearing the same characteristics was caught by the Trend Micro Incident Response Team (TMIRT). It was detected as TROJ_DLOADER.IGR. This latest discovery thus tells us that more malware authors will be joining this bandwagon soon (I can just imagine malware toolkits in the production pipelines already). It also underscores the fine line that separates the good guys from the bad ones, given the fact that the initial concept was presented to help improve security.

Trend Micro advises users to keep their security applications updated and patched with the latest fixes to avoid getting affected with threats similar to these.

Additional data provided by Ivan Macalintal and Ryan Flores.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!