Tweet

Cybercriminals are actively exploiting a critical vulnerability in Internet Explorer 7, which arises from the browser’s improper handling of errors when attempting to access deleted objects. This vulnerability allows remote attackers to execute arbitrary codes on a vulnerable machine.

The threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.

HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS.

This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.

Figure 1. Threat Infection Chain.

Although the install base of the IE family is slowly eaten up by stiff competition such as Firefox and Chrome, IE7 is used by about one in every four Web users, a much larger share than previous versions of IE. This could explain why cybercriminals seem to be eagerly searching for more bugs. Zero-day exploits, also in IE7, were big news last December:

• IE Zero-Day Follow-Up: Now Featuring Mass SQL Injections
• Zero-Day IE Flaw Being Actively Exploited

Our engineers are still working on the details of this threat. We will post updates as soon as more information becomes available. The Smart Protection Network already prevents HTML_DLOADER.AS, XML_DLOADR.A, and BKDR_AGENT.XZMS from running in systems. It also blocks malicious URLs. Users meanwhile are advised to PATCH NOW!

Update as of 17 February 2009, 6PM PST

Analysis by Trend Micro researchers reveal that BKDR_AGENT.XZMS takes screenshots of the infected system and sends these screenshots to a remote malicious location. It also creates a hidden Internet Explorer window which connects to a website to listen for commands.

Update as of 1 March 2009, 7PM PST

Advanced Threats Researcher Jamz Yaneza points at some details that may link this attack to the wave of exploits related to the Beijing Olympics frenzy last year, as well as the related problem regarding Tibet. The previous exploits also used specially crafted MS documents. BKDR_AGENT.XZMS meanwhile contains a string related to the 50th anniversary of the Tibetan uprising. The backdoor also waits for commands from a website in China, which interestingly is linked to port-scanning and SQL attacks before.