Hackers Compromise Legit Web Sites to Target Microsoft IE Flaw

Microsoft reported a significant increase in the number of users infected with malware targeting a vulnerability in Internet Explorer widely reported last week. The flaw affects all supported editions of IE.

Hackers have begun compromising Web sites to infect vulnerable computers with malware that exploits a zero-day flaw in Internet Explorer revealed last week.

Microsoft reported a significant increase in the number of infected users over the weekend, and researchers at Trend Micro estimated about 6,000 sites had been infected. The move is a shift in tactics for hackers, who had been relying on rogue Web sites to propagate their malware.

"Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability," according to a posting on the Microsoft Malware Protection Center (MMPC) blog. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday."

So far, the compromised sites have run the gamut, ranging from a popular search engine in Taiwan – now reportedly clean – to various pornography sites.

“We recently found a Web site in Hong Kong that serves various content including adult entertainment,” according to the MMPC blog. “Users who hoped to watch that content, became target of those attacks: specifically, the exploit dropped Trojans that we detect as Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ.”

Other compromised sites included a Chinese sporting goods site with a traffic rank of close to 7 million. According to Trend Micro, the site contained HTML code that directed users to a remote site with malicious script. The final payload is a worm detected by Trend Micro as WORM_AUTORUN.BSE. Other exploits that also lead to the worm are HTML_IFRAME.ZM, JS_DLOADER.QGV and HTML_AGENT.CPZZ, according to Trend.

“Obfuscated JavaScript in the HTML Web pages are also detected as JS_DLOAD.MD, the same malicious script found to exploit the zero-day vulnerability in IE7,” Trend Micro’s Mayee Corpin wrote on the company’s security blog.

Exploits for the zero-day, which affects all versions of Internet Explorer (IE), began to proliferate last week shortly after Microsoft’s monthly Patch Tuesday release. The vulnerability lies in the way the browser handles DHTML Data Bindings.

The best way to get rid of this is to switch to another Internet browser and stop using Internet Explorer (IE).

I'm recommending Mozilla Firefox. Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite, managed by the Mozilla Corporation. Firefox had 20.78% of the recorded usage share of web browsers as of November 2008, making it the second-most popular browser in current use worldwide, after Internet Explorer.

Firefox uses a sandbox security model, and limits scripts from accessing data from other web sites based on the same origin policy. It uses SSL/TLS to protect communications with web servers using strong cryptography when using the https protocol. It also provides support for web applications to use smartcards for authentication purposes.

The Mozilla Foundation offers a "bug bounty" to researchers who discover severe security holes in Firefox. Official guidelines for handling security vulnerabilities discourage early disclosure of vulnerabilities so as not to give potential attackers an advantage in creating exploits.

Because Firefox has fewer and less severe publicly known unpatched security vulnerabilities than Internet Explorer, improved security is often cited as a reason to switch from Internet Explorer to Firefox. The Washington Post reports that exploit code for critical unpatched security vulnerabilities in Internet Explorer was available for 284 days in 2006. In comparison, exploit code for critical security vulnerabilities in Firefox was available for 9 days before Mozilla shipped a patch to remedy the problem. Symantec in their statement, saying that Firefox still had much fewer security vulnerabilities than Internet Explorer, as counted by security researchers.

With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before for safe Internet surfing.
To download the software, go to http://www.mozilla.com/en-US/firefox/

For portable version of Firefox, visit http://portableapps.com/ to grab one.