Attackers flock to Internet Explorer VML exploit

Security experts have warned of a sharp hike in the number of cyber-criminals actively exploiting the newly discovered VML vulnerability in Microsoft's Internet Explorer.

"More and more sites are using this exploit code," McAfee's Avert Labs virus researcher Craig Schmugar told vnunet.com. 

Inclusion of the exploit in a malware toolkit known as 'WebAttacker' has made it easier to implement, according to Schmugar.

"[WebAttacker] is known for making it easier for someone with less skill to use this toolkit to install their payload," he said.

"Tools have been posted to be able to plug in a URL and build an exploit that downloads and executes the file of choice."

Reports surfaced of an unpatched vulnerability in Internet Explorer's Vector Markup Language that could allow attackers to take control of a system. 

The vulnerability was first exploited through a group of adult websites hosted in Russia.

Over the weekend an existing data phishing operation started using the VML exploit in an effort to steal log-in data for financial websites, Roger Thompson, chief technology officer at Exploit Prevention Labs, said.

The group sends out weekly spam emails informing recipients that they have received a digital card through Yahoo Greetings. 

While users eventually arrive at the Yahoo website, they are first taken past an exploit server that infects their system with a Trojan.

The Trojan is designed to collect all information used in online forms, allowing the attackers to collect log-in details for banking websites and online payment services such as PayPal.

The attackers have been active for four to five months. Prior to exploiting the VML vulnerability, they targeted a critical security hole in the Microsoft Data Access Components in Windows that was repaired in April. 

Even when the group was targeting the patched vulnerability, the attackers harvested 200MB of data every week, according to Thompson's research.

He predicted that the group will ensnare even more victims now that it has started exploiting the unpatched VML exploit.

In another attack, online criminals hacked into user accounts at hosting provider HostGator through a vulnerability in the cPanel hosting software which the provider had failed to patch. 

The attackers tweaked the websites hosted through the provider to display a small 'iFrame' that directed users to a site hosting the exploit.

"What is interesting is that the exploit in cPanel only functions if you are a member of the hosting service," Eric Sites, vice president of research and development for Sunbelt Software, told vnunet.com. 

The security vendor first discovered the exploit through the hosting provider.

Microsoft is planning to release a patch for the VML vulnerability on 10 October as part of its regular patch release cycle. Last Friday a group of independent researchers published an unofficial VML fix. 

The increasing use of the vulnerability could force Microsoft to release its patch sooner, because security vendors are unable to add detection signatures for all the malware that is starting to exploit the vulnerability.

The SANS Internet Storm Center said that some instances of the exploit have been found to include browser and operating system detection. 

"Adding patterns for new payloads is an arms race that the antivirus vendors cannot win. If you have the option, we suggest you use the workaround of unreg istering the DLL as indicated in our earlier diary entry," wrote Daniel Wesemann.

Copyright ©v3.co.uk

attackers exploit explorer flock internet security to vml