Trojan uses MS hole to hijack web browsers

News

Trojan uses MS hole to hijack web browsers

Computer hackers have found another way to exploit an unpatched hole in Microsoft's Internet Explorer web browser, using a specially designed attack website to install a Trojan horse program on vulnerable Windows machines.

The Trojan program changes the DNS (Domain Name System) configuration on the Windows machine so that requests for popular web search engines such as www.google.com and www.altavista.com bring the web surfer to a website maintained by the hackers instead, according to warnings from leading security companies. 

The attacks are just the latest in a string of online scams that rely on an easy-to-exploit flaw in IE known as the "ObjectData" vulnerability. 

Microsoft released a patch for the ObjectData vulnerability, MS03-032, in August. However, even machines that applied that patch are vulnerable to the latest attack because of holes in that security patch, according to a bulletin posted by Network Associates.

The Trojan horse program is called Qhosts-1 and is rated a "low" threat, said Network Associates.

Trojan horse programs do not attempt to find and infect other systems. However, they do give attackers access to a compromised computer, often allowing a remote hacker to control the machine as if he or she were sitting in front of it.

Microsoft issued a statement which said that it was investigating reports of exploits for a variation on a vulnerability originally patched in Microsoft Security Bulletin MS03-032 and would release a fix for that hole shortly.

The company recommended that customers worried about attacks should install the latest Windows updates and change their IE internet security zone settings to notify the user when suspicious programs are being run.

Qhosts-1 was installed on vulnerable Windows machines using attack code planted in a pop-up ad connected to a web page set up by the hackers on a free web hosting site, www.fortunecity.com, Network Associates said. 

The DNS servers used in the attack resided on systems owned by hosting firm Everyone's Internet, according to Richard Smith, an independent computer security consultant.

Those servers, as well as the fortunecity.com site used to install the Trojan, have been taken offline since the attack caught the attention of security experts.

That will stop the DNS hijackings, but will also make it impossible for users on infected computers to browse the web until their DNS configuration is restored, Smith said.

However, as long as the Microsoft hole remains unpatched, similar attacks could be launched, he added.

To be attacked, Windows machines had to be running Internet Explorer versions 5.01, 5.5 or 6.0, which contain the ObjectData vulnerability, and visit the website that launched the pop-up.

Paul Roberts writes for IDG News Service


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy