Web Threat Spotlight Issue 60: TrendLabs looks at recent IE6 and IE7 vulnerability and the related MMOG info stealing malware associated with it.
2
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 60 MARCH 29, 2010 New IE Zero-Day Exploit Triggers Info Theft Zero-day vulnerabilities and exploits seem to be a recurring theme in recent months. Several software and browsers received criticism for critical vulnerabilities that were made public. Topping the list is Internet Explorer (IE), which was found to have two separate security vulnerabilities in March alone. The most recent of these zero-day vulnerabilities unfortunately led to several malware detections, which in some instances, paved the way for game-related information theft. The Threat Defined Several news on zero-day vulnerabilities recently made headlines. Just months after the much-publicized IE bug exploit related to the HYDRAQ attacks , a new IE vulnerability prompted Microsoft to release another security advisory to warn its users. Security Advisory (981374) informs users of a vulnerability that exists due to an invalid pointer reference bug within IE, which has been identified as CVE-2010- 0806 . This particular bug can be exploited under certain conditions to execute malicious code. The vulnerability primarily affects IE 6 and 7 but does not affect IE 8. Systems using the latest Windows versions—Windows 7 and Server 2008—are likewise automatically immune from this threat since the said OS versions are shipped with IE 8. Unfortunately, systems that came preinstalled with earlier versions of IE can fall prey to several malware detections that exploit the still-unpatched zero-day flaw. Visiting compromised websites using IE 6 or 7 may result in the download of malicious script files that take advantage of the said vulnerability to allow a remote user to access the affected system. To date, Trend Micro has detected several attacks that all begin with a malicious JavaScript file. Figure 1. CVE-2010-0806 exploit infection diagram Two different detections, JS_SHELLCODE.CD and JS_SHELLCOD.JDT , both exploit the vulnerability and attempt to download files. For its part, JS_SHELLCOD.JDT successfully downloads TROJ_INJECT.JDT , which also tries to connect to a URL that has since become inaccessible. In separate infection chains, another pair of detections leaves affected systems ridden with multiple malware. JS_SHELLCODE.YY and JS_COSMU.A download and drop other malware, which eventually lead to information theft. The final payloads, TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ , both steal user names and passwords related to the game, World of Warcraft (WoW) . 1 of 2 – WEB THREAT SPOTLIGHT
Transcript
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 60 MARCH 29, 2010
New IE Zero-Day Exploit Triggers Info Theft Zero-day vulnerabilities and exploits seem to be a recurring theme in recent months. Several software and browsers received criticism for critical vulnerabilities that were made public. Topping the list is Internet Explorer (IE), which was found to have two separate security vulnerabilities in March alone. The most recent of these zero-day vulnerabilities unfortunately led to several malware detections, which in some instances, paved the way for game-related information theft.
The Threat Defined Several news on zero-day vulnerabilities recently made headlines. Just months after the much-publicized IE bug exploit related to the HYDRAQ attacks, a new IE vulnerability prompted Microsoft to release another security advisory to warn its users.
Security Advisory (981374) informs users of a vulnerability that exists due to an invalid pointer reference bug within IE, which has been identified as CVE-2010-0806. This particular bug can be exploited under certain conditions to execute malicious code. The vulnerability primarily affects IE 6 and 7 but does not affect IE 8. Systems using the latest Windows versions—Windows 7 and Server 2008—are likewise automatically immune from this threat since the said OS versions are shipped with IE 8.
Unfortunately, systems that came preinstalled with earlier versions of IE can fall prey to several malware detections that exploit the still-unpatched zero-day flaw. Visiting compromised websites using IE 6 or 7 may result in the download of malicious script files that take advantage of the said vulnerability to allow a remote user to access the affected system. To date, Trend Micro has detected several attacks that all begin with a malicious JavaScript file.
Figure 1. CVE-2010-0806 exploit infection diagram
Two different detections, JS_SHELLCODE.CD and JS_SHELLCOD.JDT, both exploit the vulnerability and attempt to download files. For its part, JS_SHELLCOD.JDT successfully downloads TROJ_INJECT.JDT, which also tries to connect to a URL that has since become inaccessible. In separate infection chains, another pair of detections leaves affected systems ridden with multiple malware. JS_SHELLCODE.YY and JS_COSMU.A download and drop other malware, which eventually lead to information theft. The final payloads, TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ, both steal user names and passwords related to the game, World of Warcraft (WoW).
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime.
Considering the fact that real money can be made through stealing online-gaming credentials, it is not surprising that cybercriminals leveraged a critical IE vulnerability for personal gain. In 2009, massively multiplayer online (MMO) games in the United States alone made as much as US$3.8 billion, proving the extensive moneymaking opportunities that games like WoW offer. Exploiting game bugs for fraud and cheating is yet another recurring theme in cybersecurity, the end of which is nowhere in sight. However, exploiting an IE bug instead of directly hacking games puts a different spin to the typical game-related information theft techniques. It likewise proves that cybercriminals will stop at nothing to carry out their malicious intentions.
User Risks and Exposure While vulnerabilities constantly exist, zero-day flaws complicate matters because of the time factor involved. As developers rush to protect users, cybercriminals are likewise on the run to use the bug to their advantage. The recent IE vulnerability is yet another proof of how zero-day exploits can lead to a complex infection chain.
To avoid zero-day exploits, users should use updated versions of all software and ensure that their antivirus patterns are up-to-date at all times. It is also important to be wary of links, files, and downloadable data from untrustworthy sources. Disabling scripting or, at least, regulating its use to trusted sites is also a good option to avoid falling prey to exploits that abuse script files.
Using alternative browsers is another option. However, it is also important to note that even other browsers have vulnerabilities that are not immediately fixed. As such, users should patch all software as soon as updates are released. Patching systems requires a lot of work but is a critical step in ensuring system security.
Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client content security infrastructure that automatically blocks threats before they reach you. A global network of threat intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow, the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall protection against data breaches, damage to business reputation, and loss of productivity.
In this attack, Web reputation service prevents users from accessing sites hosting JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. File reputation service detects and consequently deletes malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW, TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ from infected systems.
Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.
The following post at the TrendLabs Malware Blog discusses this threat: http://blog.trendmicro.com/new-ie-zero-day-exploit-cve-2010-0806/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCODE.CD http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCOD.JDT http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.JDT http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCODE.YY http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SASFIS.VR http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.VR http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_GAMETI.WOW http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_COSMU.A http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPER.FNZ http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_GAMETHI.FNZ Other related posts are found here: http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/56_ie_zero-day_vulnerability_opens_door_to_hydraq__ january_27__2010_.pdf http://blog.trendmicro.com/the-wonderful-wor1d-of-warcraft/ http://blog.trendmicro.com/keep-systems-safe-patch-alternative-browsers/
