Attackers flock to Internet Explorer VML exploit

Security experts are noticing in increase in the number of exploits of the unpatched VML-vulnerability in Microsoft's Internet Explorer browser.

"More and more sites are being discovered to be using this exploit code," McAfee Avert Labs virus researcher Craig Schmugar told vnunet.com.

The inclusion of the exploit in a malware toolkit known as "WebAttacker" has made it easier to implement the exploit, according to Schmugar.

"[WebAttacker] is known for making it easier for someone with less skills to use this toolkit to install their payload. Tools have been posted for you to be basically able to plug in an URL and build an exploit that downloads and executes the file of choice," said Schmugar.

Reports surfaced last Wednesday of an unpatched vulnerability in Internet Explorer's Vector Markup Language (VML) that could allow attackers to take over control of a system. The vulnerability was first exploited through a group of adult websites that were hosted in Russia.

Over the weekend an existing data phishing operation started using the VML exploit in an effort to steal login data for financial websites, Roger Thompson, chief technology officer with Exploit Prevention Labs told vnunet.com.

The group sends out weekly spam emails informing the recipient that they have received a digital card through Yahoo Greetings. While users in the end visit the Yahoo website, they are first taken past an exploit server that infects their system with a trojan, Thompson explained.

The Trojan is designed to collect all the data that users enter in online forms, allowing the attackers to collect login information for banking websites and online payment services such as Paypal.

The attackers have been active for about four to five months. Prior to exploiting the VML vulnerability, they targeted a critical security hole in the Microsoft Data Access Components in Windows that was repaired in April.

Even when the group was targeting the patched vulnerability, the attackers harvested 200Mb of data every week, according to Thompson's research. He projects that the group will make even more victims now that it started exploiting the unpatched VML exploit.

In another attack, online criminal hacked into user accounts with hosting provider HostGator through a vulnerability in the cPanel hosting software that the provider had failed to patch.

The attackers tweaked the websites that were hosted through the provider to display a small 'iFrame' that directed users to a site hosting the exploit.

"What's interesting is the exploit in cPanel only functions if you are a member of the hosting service," Eric Sites, vice president of research and development for Sunbelt Software told vnunet.com. The security vendor first discovered the exploit through the hosting provider.

Microsoft is planning to release a patch for the VLM vulnerability on 10 October as part of its regular patch release cycle. Last Friday a group of independent researchers published an unofficial fix for the vulnerability.

The increasing use of the vulnerability however could force Microsoft to  release its patch sooner as patch, because security vendors are unable to add detection signatures for all the malware that is starting to exploit the vulnerability.

The SANS Internet Storm Center said that the some instances of the exploit have been found to include browser and operating system detection.

"Adding patterns for new [...] payloads is an arms race the anti virus vendors can't win. If you have the option, we suggest you use the work around of unregistering the DLL as indicated in our earlier diary entry," wrote Daniel Wesemann.  

Tom Sanders contributed to this report.

Copyright ©v3.co.uk

attackersexploitexplorerflockinternetsecuritytovml