Zero-Day Internet Explorer Exploit Downloads HYDRAQ

Background of the AttackWe have been receiving several reports and inquiries surrounding a series of attacks that exploit an application vulnerability to download HYDRAQ variants onto infected computers. Awareness about the attacks that first manifested as targeted against individuals increased when the code used in them was made public. These attacks leverage a vulnerability in all versions of Internet Explorer (except IE 5.0) that has since been patched on January 21. For patch information, users are advised to refer to this Microsoft Web page.

Frequently Asked QuestionsWhat happens in this attack?

Users may either receive spam or other inbound online communication that may lead them to various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry exploits so they can execute code on the vulnerable computer without the visitor’s knowledge.

These exploits target a vulnerability in a widely used application for which, during the height of the attacks, there was no security update yet. Once the exploit is triggered by visiting the malicious site, a backdoor is downloaded onto the computer without the visitor’s knowledge.

The diagram above illustrates the known versions of this attack, each of which appeared one after another. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and so forth. Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected

WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 1 of 2

FROM THE FIELD: EXPERT INSIGHTS

• “[The confusion] lies in the fact that the exploit code has been evolving these past couple of days. The malicious scripts still point to the final payload. It’s like JS_DLOADER is the first generation, JS_ELECOM the second. And now we’re seeing HTML_COMLE as the third.”

—Trend Micro Network Architect Paul Ferguson on the evolution of the IE exploit and the perception that numerous attacks are ongoing

• “Technically... they are unrelated. But the fact that they happened at the same time decreases the possibility that they are completely unrelated.”

—Trend Micro Network Architect Paul Ferguson on the relationship of the IE exploit with the Adobe exploit used in earlier targeted attacks

• “If [the users] patch... But even then, this exploit will still likely be around for a long time. The vulnerability affects IE regardless of the Windows version. And some companies are still using default IE browser installations and cannot simply upgrade because of the way their operations work.”

—Trend Micro Research Manager Jamz Yaneza on whether the upcoming release of a security patch will lessen the impact of the IE exploit

SM Web Attack Bulletin

WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 2 of 2

TREND MICRO | TRENDLABS ZERO-DAY INTERNET EXPLORER EXPLOIT DOWNLOADS HYDRAQ

©2010 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, InterScan, NeatSuite, OfficeScan, and ScanMail are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. www.trendmicro.com

TrendLabs is Trend Micro’s global network of research, development, and action centers committed to 24/7 threat surveillance, attack prevention, and timely and seamless solutions delivery. With a 1,000-strong staff of experts and round-the-clock operations, it stays at the forefront of the Internet security industry and serves as the backbone of Trend Micro’s service infrastructure. With accurate, real-time data, TrendLabs delivers more effective security measures designed to detect, preempt, and eliminate attacks.

Headquartered in the Philippines, TrendLabs is the only multinational research and development center with an extensive regional presence, with labs in the United States, Japan, France, Germany, and China.

SM

RELATED BLOG ENTRIES

• New IE Zero-Day Exploit Attacks Continue

• Cyber Attacks on Google and Others—Who Is Really at Risk?

• Trend Micro Proactively Helps Protect Against Zero-Day Attacks Like the Recent IE Exploit

RELATED VULNERABILITY

• Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability (979352)

RELATED MALWARE

• JS_DLOADER.FIS• JS_ELECOM.C• JS_ELECOM.SMA• JS_ELECOM.SMB• TROJ_HYDRAQ.K• TROJ_COMELE.AJ• TROJ_HYDRAQ.SMA

ONLINE VERSION

This is a developing story. Updates are made to the online version of this document as more information becomes available. The online version can be found at the Threat Encyclopedia Zero-Day Internet Explorer Exploit Downloads HYDRAQ special Web attack page.

as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem. JS_DLOADER.FIS and the JS_ELECOM.SMA-JS_ELECOM.SMB tandem take advantage of CVE-2010-0249 to connect to URLs to download different variants of HYDRAQ malware.

Why is this threat especially dangerous?

Systems affected by this threat are compromised in such a way that the attackers who successfully exploit the vulnerability could take complete control of an affected system (e.g., install programs or view, change, or delete data or create new accounts with full user rights).

Am I at risk?

This attack is no longer targeted in nature. While the initial evolution of this attack was directed toward certain individuals, now that the code is accessible to everyone, cybercriminals can use this in their own attacks. Therefore, if you have been attacked and the browser you are using is vulnerable then your computer will perform the malicious routines of the Trojan payloads. These include connecting to several URLs, which may also host other malicious elements, and reassigning control of the computer to malicious attackers. A sample serving of the full range of malicious routines that can be performed on your computer can be found in the technical description for TROJ_HYDRAQ.SMA.

Is upgrading to the latest IE version enough to keep me from being affected?

No. The attack is continuously evolving. Performing the workaround provided by Microsoft is highly encouraged. However, enabling “Data Execution Prevention (DEP)” in IE versions where it is not enabled by default will only protect you from the publicly known exploits. There have already been reports of an exploit variant that can bypass “DEP.” It is best to apply the out-of-band patch at once.

So what can I do to protect my computer?

Applying the appropriate IE patch mentioned here is crucial in protecting your system. It would also be prudent to (1) update to the latest IE version, (2) make sure that “DEP” is enabled, and (3) use IE in protected mode (in Vista and Windows 7). Users are likewise advised to consider disabling JavaScript.

Furthermore, Trend Micro customers receive up-to-date protection via the Smart Protection Network™. File reputation service detects and inhibits the download of malicious files detected as JS_DLOADER.FIS, JS_ELECOM.C, TROJ_HYDRAQ.SMA, TROJ_HYDRAQ.K, JS_ELECOM.SMA, JS_ELECOM.SMB, and TROJ_COMELE.AJ. Web reputation service likewise prevents access to malicious URLs. Lastly, Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters.