Attackers are launching new assaults on Windows, using an unpatched, critical zero-day bug in Visual Studio 2005. The exploits employ an unusual method of downloading known trojans onto their fake Websites.(See Hackers Aim at Microsoft Visual Studio 2005.)
"We started seeing several hundreds of hits from various IP addresses this weekend," says Mike Dausin, a security researcher at TippingPoint. The attacks are originating from Russia, he says. "They are using this vulnerability to install viruses on computers in the U.S."
Microsoft has acknowledged that there are exploits in the wild of this vulnerability, but there confusion remains over whether or not this is actually the first time it was exploited in a real attack.
TippingPoint's Dausin says this is the first known attack using the bug that his company is aware of. The bug was first revealed publicly by Microsoft on October 31, and TippingPoint says it first reported it to Microsoft in June. But researcher HD Moore says he heard about the attack in July from a hacker who was already exploiting the as-yet unpublicized bug to install adware, and that he informed Microsoft about it.
It's unclear if the bug will be included among the security bulletins in Microsoft's Patch Tuesday Nov. 14. Microsoft will issue five Windows patches, some of which are critical, and one for XML Core Services, also rated as critical, the company said today. Researchers are hopeful a related zero-day bug in XML will be among those patches.
Like the Visual Studio 2005 Windows bug, the XML bug lets attackers take over Windows machines that visit their sites, called a "drive-by" download.
"A drive-by download is when you visit a site and suddenly get" the malware downloaded onto your machine, TippingPoint's Dausin says. "There's no interaction required."
The Visual Studio 2005 vulnerability -- officially called WMIObjectBroker ActiveX control (CVE-2006-4704) -- is included in one of the Metasploit penetration tool modules, so it's been available to hackers since August. It's basically a bug in an ActiveX control in Visual Studio 2005 on Windows.
Attackers are currently hosting Websites with the bug and using it to go out and download known trojans -- such as Galopoper.A -- from elsewhere to install on their sites, Dausin says. "I hadn't seen an exploit load a known virus or trojan -- typically, they use their shell code to install" malware, he says. "The Russian sites are using this vulnerability to go out and download this trojan from somewhere else," which is easier and ensures it can run on different platforms, he says.
According to Moore, this is a lazier method. "Usually people use a custom trojan, if only to bypass antivirus signatures," he says. "Using a well-known trojan would make detection that much easier."
Microsoft's Visual Studio 2005 is a tool used mainly by software developers, so these users would be most at risk. And a victim could get hit by this attack merely by visiting a site. "The attackers are simply trying to install a piece of malware," Dausin says. "The exploit allows the attacker the freedom to silently install anything she/he wants -- keystroke logger, spyware, adware, or any executable."
How can you protect yourself? You can disable ActiveX in Internet Explorer, but that's not realistic for most users, Dausin says. Firefox currently is not affected.
You're safe if you run the Enhanced Security Configuration on Windows Server 2003 or on Windows Server 2003 SP1. If you're running Internet Explorer 7, you're only at risk if you activate the WMI Object Broker ActiveX control, which is part of WmiScript.Utils.dll.
Kelly Jackson Higgins, Senior Editor, Dark Reading