From the Field: Expert Insights
"[The confusion] lies in the fact that the exploit code has been evolving these past couple of days. The malicious scripts still point to the final payload. It's like JS_DLOADER is the first generation, JS_ELECOM the second. And now we're seeing HTML_COMLE as the third."

- Trend Micro Network Architect Paul Ferguson, on the evolution of the Internet Explorer exploit and the perception that numerous attacks are ongoing


"Technically...they are unrelated. But the fact that they happened at the same time decreases the possibility that they are completely unrelated."

- Trend Micro Network Architect PaulFerguson, on the relationship of the IE exploit with Adobe exploit used in the earlier targeted attacks



"If [the users] patch... But even then this exploit will still likely be around for a long time. The vulnerability affects IE regardless of the Windows version. And some companies are still using default IE browser installations and cannot simply upgrade because of the way their operations work."

- Trend Micro Research Manager Jamz Yaneza, on whether the upcoming release of a security patch will lessen the impact of the IE exploit


Threat Encyclopedia
Zero-Day Internet Explorer Exploit Downloads HYDRAQ

Background of the attack:  We have been receiving several reports and inquiries surrounding a series of attacks that exploit an application vulnerability to download HYDRAQ variants into infected computers. Awareness about the attacks that first manifested as targeted attacks against individuals increased when the code used in these attacks was made public. These attacks leverage on a vulnerability in all versions of Internet Explorer (except IE5.0). For patch information, users are advised to refer to this Microsoft web page.

Facts

What happens in this attack?

Users may either receive spam or other inbound online communication that may lead them to various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry exploits so they can execute code on the visitor’s computer without the visitor’s knowledge.

These exploits target a vulnerability in a widely-used application for which there is no security update yet. [Jan. 21 update: Patch now available at the Microsoft web page.] Once the exploit is triggered by visiting the malicious site, a file is downloaded on the computer without the visitor’s knowledge. The file is a backdoor.


The diagram above illustrates the known versions of this attack, each of which appeared one after the other. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and so forth. [Jan. 21 update: Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem.] This is a developing story. These exploit codes take advantage of CVE-2010-0249 to connect to URLs to download different variants of HYDRAQ malware.

 

Why is this threat especially dangerous?

Systems affected by this threat are compromised in such a way that the attackers who successfully exploit this vulnerability could take complete control of an affected system (e.g. install programs or view, change, or delete data, or create new accounts with full user rights).

Am I at risk?
This attack is no longer targeted in nature. While the initial evolution of this attack was directed towards certain individuals, now that the code is accessible to everyone, cybercriminals can use these in their own attacks. Therefore, if you have been attacked and the browser you are using is vulnerable, then your computer will perform the malicious routines of the Trojan payloads. These include connecting to several URLs, which may also host other malicious elements, and reassigning control of the computer to malicious attackers. A sample serving of the full range of malicious routines that can be performed on your computer can be found in the technical description for TROJ_HYDRAQ.SMA.


Is upgrading to the latest IE version enough to keep me from getting affected?
No. The attack is continuously evolving. Performing the workaround provided by Microsoft is highly encouraged, however, enabling Data Execution Prevention (DEP) in IE versions where it is not enabled by default will only protect you from the publicly known exploits. There have already been reports of an exploit variant that can bypass DEP. . [Jan. 21 update: Patch now available at the Microsoft web page.]

So what can I do to protect my computer?
Apart from (1) updating to the latest Internet Explorer version, (2) making sure that Data Execution Prevention (DEP) is enabled, and (3) using IE in protected mode (for IE in Vista and Windows 7), users should consider disabling JavaScript. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters. Most important, update your IE browser by applying the patch mentioned here.

Vulnerability name Risk rating Advisory date
Microsoft Internet Explorer DOM Operation Memory Corruption Vulnerability
Critical Jan. 15, 2010