Daily cyber threats and internet security news: network security, online safety and latest security alerts
February 17th, 2009

Targeted Malware Attacks Exploiting Internet Explorer 7 Vulnerability

Researchers at TrendMicro have detected a targeted malware attack exploiting last week’s patched critical MS09-002 vulnerability affecting Internet Explorer 7.  Upon opening the spammed Microsoft office document, vulnerable users are automatically forwarded to a Chinese live exploit site which still remains active.

The attack has also been confirmed by McAfee and by the ISC, who point out that the cybercriminals appear to have reverse engineered Microsoft’s patch in order to come up with the exploit.

According to TrendMicro, the threat starts with a spammed malicious .DOC file detected as XML_DLOADR.A. This file has a very limited distribution script, suggesting it may be a targeted attack. It contains an ActiveX object that automatically accesses a site rigged with a malicious HTML detected by the Trend Micro Smart Protection Network as HTML_DLOADER.AS.

HTML_DLOADER.AS exploits the CVE-2009-0075 vulnerability, which is already addressed by the MS09-002 security patch released last week. On an unpatched system though, successful exploitation by HTML_DLOADER.AS downloads a backdoor detected as BKDR_AGENT.XZMS. This backdoor further installs a .DLL file that has information stealing capabilities. It sends its stolen information to another URL via port 443.

The attackers trade-off in this case is to either launch a less noisy targeted attack, or attempt to target as many users as possible by using legitimate web sites as infection vectors, a choice that depends on what they’re trying to achieve, and who are they targeting in particular.

The web service ( used as a “phone back” location with the stolen data, is a well known one used primarily by Chinese hackers in previous massive SQL injections attacks, which doesn’t necessarily mean the campaign is launched by Chinese hackers, since it could be international hackers from anywhere using a well known malicious infrastructure in order to forward the responsibility to local hackers.

Credit: ZDNet

Share this item with others:

More on CyberInsecure:
  • Zero-Day Internet Explorer Vulnerability Exploited In Targeted Email Attacks
  • Critical Internet Explorer Security Vulnerability Fixed By Microsoft
  • Cross-Domain Vulnerability In Microsoft Internet Explorer 6
  • 0-day Vulnerability In Internet Explorer 6, 7 And 8 Exploited In Recent Chinese Attack
  • Microsoft Discovers Flaw In Google Plug-in For Internet Explorer

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Targeted Malware Attacks Exploiting Internet Explorer 7 Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.