[ISN] New generation of IE malware now circulating

[InfoSec News]

http://www.networkworld.com/news/2006/033106-ie-malware.html

By Robert McMillan
IDG News Service
03/31/06

Hackers have posted a new version of malicious software that will make
it easier for them to exploit an unpatched vulnerability in
Microsoft's Internet Explorer (IE) browser. Based on a critical bug
disclosed on March 22, the software was posted by hackers Friday to
the Milw0rm.com Web site.

The code exploits a flaw in the way IE processes Web pages using the
createTextRange() method. Hackers have been using malware that takes
advantage of this vulnerability to install unauthorized software on
victims' computers over the past week, but this new generation is
considered to be more dangerous, according to security researchers.

Older versions of the malware could freeze victims' browsers for more
than a minute, giving them an opportunity to shut down their computers
or stop the malicious software before it could complete its work. But
the new software works more quickly, meaning it will be particularly
effective on older machines with limited memory and processing
capabilities, said Craig Schmugar, researcher with McAfee Avert Labs.

Though hackers had not widely adopted the new software as of Friday
morning, Schmugar said he expected that to change. "It's still pretty
early," he said. "I think it's reasonable to expect that people will
shift."

The software also uses new techniques to avoid certain types of
signatures used by anti-virus vendors, said Aviv Raff, a security
researcher based in Israel. "It's much more effective," he said. "I
think people should know and understand that ... now they are more
vulnerable."

The fact that the code was released just before the weekend is also
worrisome, because it means that "administrators have to wait for
Monday to apply their protections and to give warning to users," said
Juha-Matti Laurio, a security researcher in Helsinki.

With a fix for the problem expected as late as April 11, the date of
Microsoft's next scheduled security update, security companies
Determina and eEye Digital Security issued unsupported patches for the
problem. According to eEye, there have been more than 70,000 downloads
of its software since its Monday release.

Microsoft does not recommend that users install these patches.  
Instead, it recommends that users disable IE's Active Scripting
feature as a work-around.

Despite the severity of the TextRange() bug, McAfee says that the
malware that takes advantage of it is not particularly widespread.  
This software at present ranks No. 13 in McAfee's list of the top 20
pieces of malware being reported, Schmugar said.