Feb 1, 2010

HYDRAQ | Another browser attacks

last week, I've been informed by a friend about the new security hole which can evade our own private lives. Google and other large companies are victims of these attacks and call it Aurora, Google Attacks, and HYDRAQ. The attack has a set of carefully orchestrated, sophisticated, and highly complex attacks. They comprised malicious threats to all three communication vectors—email, Web, and files, plus, most notably, a zero-day vulnerability in Internet Explorer (IE).

image from trendmicro 
FAQ from trandmicro:

What happens in this attack?
Users may either receive spam or other inbound online communication that may lead them to various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry exploits so they can execute code on the visitor’s computer without the visitor’s knowledge.

These exploits target a vulnerability in a widely-used application for which there is no security update yet. [Jan. 21 update: Patch now available at the Microsoft web page.] Once the exploit is triggered by visiting the malicious site, a file is downloaded on the computer without the visitor’s knowledge. The file is a backdoor.

The diagram above illustrates the known versions of this attack, each of which appeared one after the other. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and so forth. [Jan. 21 update: Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem.] This is a developing story. These exploit codes take advantage of CVE-2010-0249 to connect to URLs to download different variants of HYDRAQ malware.

Why is this threat especially dangerous?
Systems affected by this threat are compromised in such a way that the attackers who successfully exploit this vulnerability could take complete control of an affected system (e.g. install programs or view, change, or delete data, or create new accounts with full user rights).

Am I at risk?
This attack is no longer targeted in nature. While the initial evolution of this attack was directed towards certain individuals, now that the code is accessible to everyone, cybercriminals can use these in their own attacks. Therefore, if you have been attacked and the browser you are using is vulnerable, then your computer will perform the malicious routines of the Trojan payloads. These include connecting to several URLs, which may also host other malicious elements, and reassigning control of the computer to malicious attackers. A sample serving of the full range of malicious routines that can be performed on your computer can be found in the technical description for TROJ_HYDRAQ.SMA.

Is upgrading to the latest IE version enough to keep me from getting affected?
No. The attack is continuously evolving. Performing the workaround provided by Microsoft is highly encouraged, however, enabling Data Execution Prevention (DEP) in IE versions where it is not enabled by default will only protect you from the publicly known exploits. There have already been reports of an exploit variant that can bypass DEP. . [Jan. 21 update: Patch now available at the Microsoft web page.]

So what can I do to protect my computer?
Apart from (1) updating to the latest Internet Explorer version, (2) making sure that Data Execution Prevention (DEP) is enabled, and (3) using IE in protected mode (for IE in Vista and Windows 7), users should consider disabling JavaScript. Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909 filters. Most important, update your IE browser by applying the patch mentioned here.