Malware Attack Exploits Patched IE7 Vulnerability

A critical security flaw in Microsoft's Web browser IE7 has created an opportunity for hackers to remotely execute malicious software on the targeted system, including the possibility of a Trojan that could update itself, said antivirus firm Trend Micro.

According to Trend Micro, hackers are exploiting the particular vulnerability, MS09-002, by e-mailing to target users a specially created Word document. The spammed file, which looks genuine, is in reality a malevolent .DOC file that carries an ActiveX component ready to open any site infused with malware. If the exploit proves successful, a backdoor would be downloaded on the victim's system with further installation of a malicious file that steals sensitive data. The malware subsequently transmits the entire stolen information to a certain website through port 443.

Moreover, it appears that the malicious software has been reverse-engineered since it was created after the announcement of the patch, according to the security specialists. It has been observed that the code gathers data from the contaminated PC, encrypts and forwards the same to some the Chinese server.

Additionally, SANS Internet Storm Center Handler, Bojan Zdrnja, said that several antivirus agencies reported of MS09-002 exploits on the Web, as reported by vnunet on February 18, 2009. Zdrnja added that the attack code for the CVE-2009-0075 flaw (Uninitialized Memory Corruption in IE7) was confirmed and it was very effectively working on un-patched Windows XP systems.

Zdrnja further said that at first, some confusion prevailed regarding the attack as majority of the antivirus agencies referred to Word documents. While the exploit attacked IE7, it had until now been delivered as a .DOC file to the computer users.

Jamz Yaneza, Threat Research Manager at Trend Micro, states that the launch of the malicious software might have been coincided with the 50th anniversary of Tibetan uprising this year (2009), when politically characterized messages based on social engineering were sent to victims to lure them to view malicious attachments, as reported by CRN on February 17, 2009.

Meanwhile, the brief time gap between patch and malware means IT administrators would have to rush to update company servers, said security specialists.

Related article: Malware Authors Turn More Insidious

» SPAMfighter News - 2/26/2009