Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Malware criminals were quick to pounce on the recently discovered — and still unpatched — zero-day exploit for Internet Explorer and to mount mass SQL injection attacks, Trend Micro researchers have found. Researchers industry-wide have correctly warned that it was only a matter of time before this exploit, which is publicly available, was used for a wider scope of attack. The folks at the SANS Internet Storm Center (ISC) are also reporting this.

    Advanced Threats Researcher Ivan Macalintal puts the number of infected sites so far at 6,000 and (quickly) increasing in number. He cites at least two Web sites infected with code that exploits the zero-day vulnerability, one in the .tw domain, and the other under .cn. The first is a Taiwanese search engine [Update: Now clean. -Ed.] which was found injected with the malicious JavaScript code through SQL injection.

    The second is a Chinese sporting goods site with a traffic rank of close to 7 million, which was found containing HTML code directing users to a remote site which contains the same malicious script.


    Fig. 1. A webpage of the compromised popular Chinese skating/sporting goods site


    Fig. 2. An image of an injected redirection to a third-party site hosting the exploit

    The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are as follows:

    • HTML_IFRAME.ZM
    • JS_DLOADER.QGV
    • HTML_AGENT.CPZZ

    Obfuscated JavaScript in the HTML webpages are also detected as JS_DLOAD.MD, the same malicious script found to exploit the zero-day vulnerability in IE7.

    Microsoft posted revisions to its Security Advisory with the latest analysis about the underlying flaw in this attack, which the advisory also states, renders Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows as potentially vulnerable.

    The Trend Micro Smart Protection Network already detects the malicious scripts as well as WORM_AUTORUN.BSE at the desktop level, and provides solutions for the removal of the worm. We recommend using the Trend Micro Web Protection Add-On.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice