Microsoft today warned of a hole in older versions of Internet Explorer that was used in limited targeted attacks in which e-mails were sent to people in organizations directing them to a Web site where exploit code could take over their computers.
The exploit code has been taken down from the Web site where it was hosted, Jerry Bryant, group manager for Response Communications at Microsoft, told CNET. He declined to identify what site it was or to say what companies or types of companies were targeted in the attacks.
The exploit code was written for Internet Explorer 6 and 7, but IE8 also is vulnerable, he said. IE9 beta is not vulnerable, nor is IE8 in the default installation with Data Execution Prevention enabled. Microsoft has released a security advisory that includes workarounds, such as enabling DEP, reading e-mails in plain text, and setting Internet and local intranet security zone settings to "high" to block ActiveX Controls and Active Scripting. A Fix-it tool that will ease the implementation of workarounds is expected later today, but Bryant said he did not have a timeline on a fix or security update.
Bryant said Microsoft was informed about the problem by a partner on Friday.
Symantec researchers published a blog post today describing how hackers had sent e-mails to a "select group of individuals within targeted organizations." The e-mails included a link to a specific page hosted on an otherwise legitimate Web site located in the U.S., Dean Turner, director of the global intelligence network for Symantec, told CNET.
The link pointed to a page with a script that looked to see what version of the browser and operating system the visitor was using and compromised the system if it was running IE6 or IE7 and served up a blank page if not, according to Symantec. The vulnerability allowed for any remote program to be executed without the end user noticing and opened a back door on the computer that then contacted a remote server in Poland.
Turner said he could not reveal how many computers may have been compromised, what Web site was hosting the exploit, or what companies were targeted, but said it was not focused on any particular vertical. Symantec posted a screenshot of one of the e-mail messages that appeared to be related to a hotel room reservation.
"We don't really know what its intent was except that it was clearly a back door and would allow an attacker to do anything they wanted to once on the system," he told CNET.
Both the U.S. Web site and the Polish server removed the malware and have cooperated with the investigation, Turner said.
Once a machine is compromised, the malware sets itself to start up with the computer, along with a service named "NetWare Workstation" and grabs encrypted .gif files telling the Trojan what to do next, according to the Symantec post. Symantec researchers were able to grab a screenshot of the commands an attacker appeared to be entering manually. Symantec has dubbed the threat "Backdoor.Pirpi."
"Looking at the log files from this exploited server we know that the malware author had targeted more than a few organizations," the Symantec post said. "The files on this server had been accessed by people in lots of organizations in multiple industries across the globe. Very few of them were seen accessing the payload file, which means that most users were using a browser which wasn't vulnerable or targeted."