Web Attack Bulletin

Zero-Day Internet Explorer
Exploit Downloads HYDRAQ

as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem....
Upcoming SlideShare
Loading in …5

Web Attack Bulletin: IE Exploit (HYDRAQ)


Published on

TrendLabs takes an in depth look at the recent Internet Explorer Exploit, HYDRAQ, which enabled an attack on Google and many other corporations.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Attack Bulletin: IE Exploit (HYDRAQ)

  1. 1. Web Attack Bulletin SM Zero-Day Internet Explorer Exploit Downloads HYDRAQ Background of the Attack We have been receiving several reports and inquiries surrounding a series of attacks that exploit FROM THE FIELD: EXPERT INSIGHTS an application vulnerability to download HYDRAQ variants onto infected computers. Awareness about the attacks that first manifested as targeted against individuals increased when the code used in them was made public. These attacks leverage a vulnerability in all versions of Internet • “[The confusion] lies in the fact that the Explorer (except IE 5.0) that has since been patched on January 21. For patch information, users exploit code has been evolving these are advised to refer to this Microsoft Web page. past couple of days. The malicious scripts still point to the final payload. It’s like JS_DLOADER is the first generation, JS_ ELECOM the second. And now we’re seeing HTML_COMLE as the third.” —Trend Micro Network Architect Paul Ferguson on the evolution of the IE exploit and the perception that numerous attacks are ongoing • “Technically... they are unrelated. But the fact that they happened at the same time decreases the possibility that they are completely unrelated.” —Trend Micro Network Architect Paul Ferguson on the relationship of the IE exploit with the Adobe exploit used in earlier targeted attacks • “If [the users] patch... But even then, this exploit will still likely be around for a long time. The vulnerability affects IE regardless of the Windows version. And some companies are still using default IE browser installations and cannot simply upgrade Frequently Asked Questions because of the way their operations work.” What happens in this attack? —Trend Micro Research Manager Jamz Yaneza on whether the upcoming release of Users may either receive spam or other inbound online communication that may lead them to a security patch will lessen the impact of the various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry IE exploit exploits so they can execute code on the vulnerable computer without the visitor’s knowledge. These exploits target a vulnerability in a widely used application for which, during the height of the attacks, there was no security update yet. Once the exploit is triggered by visiting the malicious site, a backdoor is downloaded onto the computer without the visitor’s knowledge. The diagram above illustrates the known versions of this attack, each of which appeared one after another. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and so forth. Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 1 of 2
  2. 2. TREND MICRO | TRENDLABS ZERO-DAY INTERNET EXPLORER EXPLOIT DOWNLOADS HYDRAQ as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem. JS_DLOADER.FIS and the JS_ELECOM.SMA-JS_ RELATED BLOG ENTRIES ELECOM.SMB tandem take advantage of CVE-2010-0249 to connect to URLs to download different variants of HYDRAQ malware. • New IE Zero-Day Exploit Attacks Continue Why is this threat especially dangerous? • Cyber Attacks on Google and Others—Who Is Really at Risk? Systems affected by this threat are compromised in such a way that the attackers who successfully exploit the vulnerability could take complete control of an affected system (e.g., install programs or • Trend Micro Proactively Helps Protect view, change, or delete data or create new accounts with full user rights). Against Zero-Day Attacks Like the Recent IE Exploit Am I at risk? This attack is no longer targeted in nature. While the initial evolution of this attack was directed RELATED VULNERABILITY toward certain individuals, now that the code is accessible to everyone, cybercriminals can use this in their own attacks. Therefore, if you have been attacked and the browser you are using is vulnerable then your computer will perform the malicious routines of the Trojan payloads. • Microsoft Internet Explorer DOM Operation These include connecting to several URLs, which may also host other malicious elements, and Memory Corruption Vulnerability (979352) reassigning control of the computer to malicious attackers. A sample serving of the full range of malicious routines that can be performed on your computer can be found in the technical description for TROJ_HYDRAQ.SMA. RELATED MALWARE Is upgrading to the latest IE version enough to keep me from being • JS_DLOADER.FIS affected? • JS_ELECOM.C • JS_ELECOM.SMA No. The attack is continuously evolving. Performing the workaround provided by Microsoft is highly encouraged. However, enabling “Data Execution Prevention (DEP)” in IE versions where it is • JS_ELECOM.SMB not enabled by default will only protect you from the publicly known exploits. There have already • TROJ_HYDRAQ.K been reports of an exploit variant that can bypass “DEP.” It is best to apply the out-of-band patch • TROJ_COMELE.AJ at once. • TROJ_HYDRAQ.SMA So what can I do to protect my computer? ONLINE VERSION Applying the appropriate IE patch mentioned here is crucial in protecting your system. It would also be prudent to (1) update to the latest IE version, (2) make sure that “DEP” is enabled, and (3) This is a developing story. Updates are use IE in protected mode (in Vista and Windows 7). Users are likewise advised to consider disabling made to the online version of this document JavaScript. as more information becomes available. The online version can be found at the Threat Furthermore, Trend Micro customers receive up-to-date protection via the Smart Protection Encyclopedia Zero-Day Internet Explorer Network™. File reputation service detects and inhibits the download of malicious files detected Exploit Downloads HYDRAQ special Web as JS_DLOADER.FIS, JS_ELECOM.C, TROJ_HYDRAQ.SMA, TROJ_HYDRAQ.K, JS_ELECOM.SMA, attack page. JS_ELECOM.SMB, and TROJ_COMELE.AJ. Web reputation service likewise prevents access to malicious URLs. Lastly, Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters. SM ©2010 by Trend Micro, Incorporated. All rights reserved. TrendLabs is Trend Micro’s global network of research, development, and action centers committed to 24/7 threat surveillance, attack Trend Micro, the Trend Micro t-ball logo, InterScan, prevention, and timely and seamless solutions delivery. With a 1,000-strong staff of experts and round-the-clock operations, it stays at NeatSuite, OfficeScan, and ScanMail are trademarks or the forefront of the Internet security industry and serves as the backbone of Trend Micro’s service infrastructure. With accurate, real- registered trademarks of Trend Micro, Incorporated. All time data, TrendLabs delivers more effective security measures designed to detect, preempt, and eliminate attacks. other product or company names may be trademarks or Headquartered in the Philippines, TrendLabs is the only multinational research and development center with an extensive regional registered trademarks of their owners. presence, with labs in the United States, Japan, France, Germany, and China. www.trendmicro.com WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 2 of 2