Pop-up toolbar spreads via IE flaws

Criminal charges could result for those who use Explorer vulnerabilities to trigger pop-up ads on PCs.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
An adware purveyor has apparently used two previously unknown security flaws in Microsoft's Internet Explorer browser to install a toolbar on victims' computers that triggers pop-up ads, researchers said this week.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

One flaw lets an attacker run a program on a victim's machine, while the other enables malicious code to "cross zones," or run with privileges higher than normal. Together, the two issues allow for the creation of a Web site that, when visited by victims, can upload and install programs to the victim's computer, according to two analyses of the security holes.

The possibility that a group or company has apparently used the vulnerabilities as a way to sneak unwanted advertising software, or adware, onto a user's computer could be grounds for criminal charges, said Stephen Toulouse, security program manager for Microsoft.

"We consider that any use of an exploit to run a program is a criminal use," he said. "We are going to work aggressively with law enforcement to prosecute individuals or companies that do so."

Microsoft learned of the issue when a security researcher posted an analysis of the problem to the Full Disclosure security mailing list Monday. The software giant has already contacted the FBI and is in the "early stages" of building the case, Toulouse said. The company is considering creating a patch quickly and releasing it as soon as possible, rather than waiting for its usual monthly update.

The flaws are apparently being used to install the I-Lookup search bar, an adware toolbar that is added to IE's other toolbars. The adware changes the Internet Explorer home page, connects to one of six advertising sites and frequently displays pop-ups--mainly pornographic ads, according to an adware advisory on antivirus company Symantec's Web site.

On Tuesday, security information group Secunia released an advisory about the problem, rating the two flaws "extremely critical."

"Secunia has confirmed the vulnerabilities in a fully patched system with Internet Explorer 6.0," the group wrote. "It has been reported that the preliminary SP2 (a major security update being developed by Microsoft) prevents exploitation by denying access."

The flaws could let any attacker with a Web site send an e-mail message or an instant message with a link that, when clicked on by an Internet Explorer user, would cause a program to run on that victim's computer.

The original analysis, written by a Netherland student researcher, Jelmer Kuperus, who found that the type of programming needed to take advantage of at least one of the flaws required sophisticated knowledge of the Windows operating system.

"While sophisticated, it's so easy to use, anyone with basic computer science can set up such a page, now that the code is out there in the open," Kuperus wrote in an e-mail interview with CNET News.com. "It's just a matter of changing two or three (Internet addresses) and uploading another" executable file.

Kuperus, who used an e-mail account based in the Netherlands, wrote in a Monday e-mail that he had been tipped off to the adware Trojan horse by an unnamed individual.

"Being rather skeptical, I carelessly clicked on the link only to witness how it automatically installed adware on my PC!" he wrote.

The Internet address from which the adware Trojan horse was downloaded resolves to I-Lookup.com, a search engine registered in Costa Rica that antivirus firms Symantec and PestPatrol have linked to aggressive advertising software. Two of the top three searches on the site relate to removing such programs, according to I-Lookup.com's own statistics.

A domain name search shows i-Lookup.com's parent company to be Aztec Marketing, but Pest Patrol links the site with iClicks Internet. E-mails sent to both companies for comment were not immediately answered.

Kuperus believes that i-Lookup.com's parent company may not be directly responsible for the adware-installing Trojan horse program, but that it could be rewarding the creator through an affiliate program.

"It does pass along a referrer code when downloading," he said. "Whomever created this probably is getting money for every install, so if the folks at (i-Lookup.com) would be willing, they would be able to track down the perpetrators."

Microsoft's Toulouse said Internet Explorer users could harden the software against such attacks by following instructions on the company's site. Other browsers available on Windows, such as Opera and Mozilla, do not contain the flaws.