Web Threat Spotlight Issue 60: TrendLabs looks at recent IE6 and IE7 vulnerability and the related MMOG info stealing malware associated with it.

1. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
ISSUE NO. 60
MARCH 29, 2010
New IE Zero-Day Exploit Triggers Info Theft
Zero-day vulnerabilities and exploits seem to be a recurring theme in recent months. Several software and browsers received
criticism for critical vulnerabilities that were made public. Topping the list is Internet Explorer (IE), which was found to have two
separate security vulnerabilities in March alone. The most recent of these zero-day vulnerabilities unfortunately led to several
malware detections, which in some instances, paved the way for game-related information theft.
The Threat Defined
Several news on zero-day vulnerabilities
recently made headlines. Just months
after the much-publicized IE bug exploit
related to the HYDRAQ attacks, a new IE
vulnerability prompted Microsoft to
release another security advisory to warn
its users.
Security Advisory (981374) informs users
of a vulnerability that exists due to an
invalid pointer reference bug within IE,
which has been identified as CVE-2010-
0806. This particular bug can be
exploited under certain conditions to
execute malicious code. The vulnerability
primarily affects IE 6 and 7 but does not
affect IE 8. Systems using the latest
Windows versions—Windows 7 and
Server 2008—are likewise automatically
immune from this threat since the said
OS versions are shipped with IE 8.
Unfortunately, systems that came
preinstalled with earlier versions of IE can
fall prey to several malware detections
that exploit the still-unpatched zero-day
flaw. Visiting compromised websites
using IE 6 or 7 may result in the
download of malicious script files that
take advantage of the said vulnerability to
allow a remote user to access the
affected system. To date, Trend Micro
has detected several attacks that all Figure 1. CVE-2010-0806 exploit infection diagram
begin with a malicious JavaScript file.
Two different detections, JS_SHELLCODE.CD and JS_SHELLCOD.JDT, both exploit the vulnerability and attempt
to download files. For its part, JS_SHELLCOD.JDT successfully downloads TROJ_INJECT.JDT, which also tries to
connect to a URL that has since become inaccessible. In separate infection chains, another pair of detections
leaves affected systems ridden with multiple malware. JS_SHELLCODE.YY and JS_COSMU.A download and drop
other malware, which eventually lead to information theft. The final payloads, TSPY_GAMETI.WOW and
TROJ_GAMETHI.FNZ, both steal user names and passwords related to the game, World of Warcraft (WoW).
1 of 2 – WEB THREAT SPOTLIGHT

2. Web Threat Spotlight
A Web threat is any threat that uses the Internet to facilitate cybercrime.
Considering the fact that real money can be made through stealing online-gaming credentials, it is not surprising
that cybercriminals leveraged a critical IE vulnerability for personal gain. In 2009, massively multiplayer online
(MMO) games in the United States alone made as much as US$3.8 billion, proving the extensive moneymaking
opportunities that games like WoW offer. Exploiting game bugs for fraud and cheating is yet another recurring
theme in cybersecurity, the end of which is nowhere in sight. However, exploiting an IE bug instead of directly
hacking games puts a different spin to the typical game-related information theft techniques. It likewise proves that
cybercriminals will stop at nothing to carry out their malicious intentions.
User Risks and Exposure
While vulnerabilities constantly exist, zero-day flaws complicate matters because of the time factor involved. As
developers rush to protect users, cybercriminals are likewise on the run to use the bug to their advantage. The
recent IE vulnerability is yet another proof of how zero-day exploits can lead to a complex infection chain.
To avoid zero-day exploits, users should use updated versions of all software and ensure that their antivirus
patterns are up-to-date at all times. It is also important to be wary of links, files, and downloadable data from
untrustworthy sources. Disabling scripting or, at least, regulating its use to trusted sites is also a good option to
avoid falling prey to exploits that abuse script files.
Using alternative browsers is another option. However, it is also important to note that even other browsers have
vulnerabilities that are not immediately fixed. As such, users should patch all software as soon as updates are
released. Patching systems requires a lot of work but is a critical step in ensuring system security.
Trend Micro Solutions and Recommendations
Trend Micro™ Smart Protection Network™ infrastructure delivers security that is smarter than conventional
approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ is a cloud-client
content security infrastructure that automatically blocks threats before they reach you. A global network of threat
intelligence sensors correlates with email, Web, and file reputation technologies 24 x 7 to provide comprehensive
protection against threats. As the sophistication of threats, volume of attacks, and number of endpoints rapidly grow,
the need for lightweight, comprehensive, and immediate threat intelligence in the cloud is critical to overall
protection against data breaches, damage to business reputation, and loss of productivity.
In this attack, Web reputation service prevents users from accessing sites hosting JS_SHELLCODE.CD,
JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. File reputation service detects and consequently
deletes malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW,
TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ from infected systems.
Trend Micro Deep Security™ and Trend Micro OfficeScan™ likewise protect business users via the Intrusion
Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.
The following post at the TrendLabs Malware Blog discusses this threat:
http://blog.trendmicro.com/new-ie-zero-day-exploit-cve-2010-0806/
The virus reports are found here:
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCODE.CD
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCOD.JDT
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_INJECT.JDT
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_SHELLCODE.YY
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_SASFIS.VR
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.VR
http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_GAMETI.WOW
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS_COSMU.A
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DROPPER.FNZ
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_GAMETHI.FNZ
Other related posts are found here:
http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/56_ie_zero-day_vulnerability_opens_door_to_hydraq__
january_27__2010_.pdf
http://blog.trendmicro.com/the-wonderful-wor1d-of-warcraft/
http://blog.trendmicro.com/keep-systems-safe-patch-alternative-browsers/
2 of 2 – WEB THREAT SPOTLIGHT