New IE, Media Player Attacks Begin, E-mail Lures Users
San Diego-based Websense said it was starting to see mass-mailed lures, i.e. messages with links to sites hosting a Vector Markup Language (VML) exploit. The sites, noted Websense, are using the WebAttacker "kit" that has been updated to include the VML exploit.
The message cited by Websense drew users to a page posing as a Yahoo Greeting Card. Users' PCs are compromised as soon as they hit the bogus site, since the VML exploit code is hidden in a 1-by-1-pixel iframe that looks like nothing more than a stray dot on the page. The site downloads and installs an IE Browser Helper Object that directs all HTTP posts to forms -- such as a logon form for an online bank -- to a third party. The object, naturally, is to collect lucrative financial information like bank or credit card account data.
"Every form entered gets posted to this third party site," said Dan Hubbard, Websense's head of research. "We've seen some of the results," he added, and confirmed that among the information were account usernames and passwords.
"Surprisingly, we haven't seen any mass e-mailed campaign yet, but we have seen some people try to access this site," Hubbard continued. Bugs in the WebAttacker kit's code, he said, may be why more sites aren't hosting the exploit, and thus why the volume of e-mail remains low.
The escalation to e-mail was expected. Last week, security analysts said that the next step for hackers would be to draw users to malicious sites with spammed lures, rather than wait for the unlucky to surf to an infected URL.
To make matters worse, other exploits are now in the wild, including one against IE that preceded the VML vulnerability, and another against at least some versions of Windows Media Player.
"The 'daxtcle.ocx' exploit was first just a denial-of-service proof-of-concept, but now we're seeing an exploit against a different function in that animation control," said Eric Sites, vice president of research and development at Sunbelt Software. "This is a working exploit" that can download malware to a fully-patched Windows XP SP2 system, he added.
Two weeks ago -- and just three days after Microsoft unveiled its September security updates -- news broke that Internet Explorer was vulnerable to attack through the daxctle.ocx COM object, which is part of a Microsoft ActiveX control dubbed "Microsoft DirectAnimation Path." Although that flaw was pushed to the background by the more dangerous VML vulnerability, it too has not been patched.
At the moment, the exploit that Sunbelt uncovered drops only one file on a compromised computer: a backdoor Trojan that will likely be used to download and install additional malware in the near future.
The newest exploit, said Sites, doesn't attack IE, but instead targets an apparently unpatched bug in Windows Media Player. The exploit, added Sites, isn't reliable: sometimes it works, sometimes it doesn't. "We're just starting to analyze this one," Sites said. "It looks like Windows Media Player 9 is vulnerable, maybe 10 too."
In other attack news Monday, both Hubbard and Sites said that the number of sites using the updated WebAttacker code remains quite low. Hubbard put it at "only a handful, five or six," while Sites said that "the sites using WebAttacker are not upgrading very quickly."
That, however, could change in a matter of hours.
"That would be awful if they all updated," said Sites, who estimated that there were at least 1,000 malicious sites hosting the Russian-made exploit kit. "We'd be screwed."