norrisa
Member
|
# Posted: 23 Sep 2006 13:43
Reply
The newest zero-day flaw in the Microsoft Windows implementation of the Vector Markup Language is being used to flood infected machines with a massive collection of bots, Trojan downloaders, spyware and rootkits.
Less than 24 hours after researchers at Sunbelt Software discovered an active malware attack against fully patched versions of Windows, virus hunters say the Web-based exploits are serving up botnet-building Trojans and installations of ad-serving spyware.
"This is a massive malware run," says Roger Thompson, chief technical officer at Atlanta-based Exploit Prevention Labs. In an interview with eWEEK, Thompson confirmed the drive-by attacks are hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities.
The list of malware programs seeded on pornography sites also includes a dangerous keystroke logger capable of stealing data from computers and a banker Trojan that specifically hijacks log-in information from financial Web sites.
According to Sunbelt Software researcher Eric Sites, the list of malware programs includes VirtuMonde, an ad-serving program that triggers pop-ups from Internet Explorer; Claria.GAIN.CommonElements, an adware utility; AvenueMedia.InternetOptimizer; and several browser plug-ins and tool bars and variants of the virulent Spybot worm.
eWEEK has confirmed the flaw—and zero-day attacks—on a fully patched version of Windows XP SP2 running IE 6.0. There are at least three sites hosting the malicious executables, which are being served up on a rotational basis.
In some cases, a visit to the site turns up an error message that reads simply: "Err: this user is already attacked."
The attack is closely linked to the WebAttacker do-it-yourself spyware installation tool kit. On one of the maliciously rigged Web sites, the attack code even goes as far as referencing the way Microsoft identifies its security patches, confirming fears that a well-organized crime ring is behind the attacks.
The URL that's serving up the exploit includes the following: "MS06-XMLNS&SP2," a clear reference to the fact that the flaw is a zero-day that will trigger a quick patch from Microsoft.
A Microsoft spokesman said the company is aware of the public release of detailed exploit code that could be used to exploit this vulnerability. "Based on our investigation, this exploit code could allow an attacker to execute arbitrary code on the user's system. Microsoft is aware of limited attacks that attempt to exploit the vulnerability," the spokesman said in a statement sent to eWEEK.
The company plans to ship an IE patch as part of its October batch of updates due Oct. 10. An emergency, out-of-cycle patch could be released if the attacks escalate.
There is a current 'Third Party' patch currently available here
WARNING:
There is a risk associated with a third-party patch as it hasn't gone through the extensive testing that Microsoft puts its patches through. Outpost10F is not responsible for any loss or damage caused.
Source
|
