Gamers corrupt websites in zero-day attack, as Microsoft works on a patch

July 7th, 2009

lineage_crop1UPDATE 08-July-09, 08:30 a.m. PST: AVG senior researcher Roger Thompson, creator of AVG’s free LinkScanner Web links health-check tool, has just spotted evidence that the Gumblar gang has begun using this zero-day flaw to compromise PCs. That suggests the number of infected Web pages where you can get an infection has — or will –  jump by magnitudes of order. The Gumblar boys have figured out that this flaw can be reliably exploited, says Thompson. And the universe of  unpatched Window PCs is vast — because there is no patch available, and Microsoft probably won’t have one ready for several weeks. Another worrisome development: the Gumblar gang could care less about online  gaming currency; they’re out to pilfer FTP credentials to compromise more sites, and are tampering with web traffic.

Microsoft may be justified in not going through the extraordinary lengths it would take to issue an emergency patch for the latest zero-day vulnerabilities cyber crooks are exploiting in the wild.

This attack involves two gaping security holes in the video Active X component of the Internet Explorer browser, flaws for which no patches yet exist.

However, a safe haven is readily available. You can avoid this attack by upgrading to IE version 8.0, available since March.

“The exploit doesn’t work on IE8, and it also doesn’t work on Vista,” says Roel Schouwenberg, senior research analyst at Kaspersky Lab. “So anyone running the latest Microsoft browser or Windows operating system is safe.”

Or you can simply avoid using earlier versions of IE that are vulnerable and cannot yet be patched.

Microsoft Security Response team spokesman Christopher Budd this morning declined to stray from a vague company advisory that is not terribly clear about whether Microsoft will deliver a patch in time for its once-a-month security update, otherwise known as Patch Tuesday, which falls on July 14.

Budd told LastWatchdog only that the patch will be released “once it has reached an appropriate level of quality for broad distribution.”

Why patches take so long

To be fair, patching security holes is not easy. The fix must work on multiple versions of Windows and IE in myriad languages. And it must not crashing tens of thousands of different consumer and business programs.

Microsoft still has not patched a zero-day discovered last May and used in the wild since then, says Websense CTO Dan Hubbard. The zero-day flaw for which Microsoft issued an advisory yesterday is the second one bad guys have put to work involving flaws in IE’s video Active X component.

luis_corrons_crop3Readying a patch by July 14th is “very unlikely due to the high effort of testing,” says Luis Corrons, Technical Director of PandaLabs. I have no doubt that Microsoft is doing its best to have the patch available as soon as possible.”

Still, this attack is extremely dangerous because the bad guys can continue with impunity to corrupt legitimate Web pages with tiny infections that prey on this latest in a long line of Windows zero-day flaws.

Estimates of how many infected web pages lurk in wait for Internet users vary from a few hundred to multiple thousands, with many  more anticipated in days and weeks to come. “In the next few days we expect an increase in the number of Web sites affected,” says Corrons. “It’s only a matter of time before we see it distributed worldwide.”

Common attack framework in play

Anyone using a vulnerable PC who clicks on a tainted Web page gets silently directed to one of about a dozen servers that takes advantage of the unpatched flaw and begins to download a series of malicious programs.

The typical sequence of what happens next has never been clearly explained by the tech security community, at least not to LastWatchdog. But with recent guidance from senior Kaspersky researchers Schouwenberg, Costin Raiu and Vitaly Kamluk, I’ve managed to map out the basic framework of most malicious attacks. (A separate, breakthrough post laying this framework out is in the works.)

Many attacks — including this one — hinge on getting a victim to click on a corrupted URL. The attacker then has a few moments to successfully install a miniscule wormhole, called a “Trojan downloader,” that secures ongoing access to the hard drive.

Invariably, the attacker next uses the wormhole to install coding that turns the PC into an obedient “bot,” reporting to a command-and-control server operated by the “botmaster.”

The botmaster next directs this fresh bot to carry out myriad criminal activities — everything from spreading spam to triggering scareware promotions to hijacking online banking accounts.

Gamers at it again

At this moment, virus hunters at dozens of security firms are scrambling to capture and reverse engineer samples of coding from this latest zero-day attack to determine precisely the bad guys are doing.

This morning, researchers at Bilbao, Spain-based PandaLabs morning discovered snippets of coding derived from the Lineage family of Trojan programs. This family of viruses has been designed primarily to steal logons and gaming currency from participants of massively multi-player online games, particularly Lineage, a knights-and-castles fantasy game that’s hugely popular in Asia. Gamers have done this before, corrupting the Miami Dolphins stadium website in 2007 to steal Lineage and World of Warcraft loot.

“This particular sample was also using a rootkit to hide itself in the system and avoid detection,” says Corrons.

–Byron Acohido