Background of the attack: We have been receiving several reports and inquiries surrounding a series of attacks that exploit an application vulnerability to download HYDRAQ variants into infected computers. Awareness about the attacks that first manifested as targeted attacks against individuals increased when the code used in these attacks was made public. These attacks leverage on a vulnerability in all versions of Internet Explorer (except IE5.0). For patch information, users are advised to refer to this Microsoft web page.
What happens in this attack?
Users may either receive spam or other inbound online communication that may lead them to various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry exploits so they can execute code on the visitor’s computer without the visitor’s knowledge.
These exploits target a vulnerability in a widely-used application for which there is no security update yet. [Jan. 21 update: Patch now available at the Microsoft web page.] Once the exploit is triggered by visiting the malicious site, a file is downloaded on the computer without the visitor’s knowledge. The file is a backdoor.
The diagram above illustrates the known versions of this attack, each of which appeared one after the other. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and so forth. [Jan. 21 update: Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem.] This is a developing story. These exploit codes take advantage of CVE-2010-0249 to connect to URLs to download different variants of HYDRAQ malware.
Why is this threat especially dangerous?
Systems affected by this threat are compromised in such a way that the attackers who successfully exploit this vulnerability could take complete control of an affected system (e.g. install programs or view, change, or delete data, or create new accounts with full user rights).
Am I at risk?
This attack is no longer targeted in nature. While the initial evolution of this attack was directed towards certain individuals, now that the code is accessible to everyone, cybercriminals can use these in their own attacks. Therefore, if you have been attacked and the browser you are using is vulnerable, then your computer will perform the malicious routines of the Trojan payloads. These include connecting to several URLs, which may also host other malicious elements, and reassigning control of the computer to malicious attackers. A sample serving of the full range of malicious routines that can be performed on your computer can be found in the technical description for TROJ_HYDRAQ.SMA.
Is upgrading to the latest IE version enough to keep me from getting affected?
No. The attack is continuously evolving. Performing the workaround provided by Microsoft is highly encouraged, however, enabling Data Execution Prevention (DEP) in IE versions where it is not enabled by default will only protect you from the publicly known exploits. There have already been reports of an exploit variant that can bypass DEP. . [Jan. 21 update: Patch now available at the Microsoft web page.]
So what can I do to protect my computer?