Clunky-B exploits unpatched IE vuln

Security companies say they have uncovered malicious software using the unpatched vulnerability in Internet Explorer to infect.

UK security firm Sophos said today that the Clunky-B Trojan has already been implanted into some websites which will automatically download it to a system through the vulnerability, if the attacker can get someone to visit the site.

Sophos’ senior technology consultant Graham Cluley told us that the vulnerability, if successfully exploited, could be used to download any code or virus – so users need to ensure their antivirus software is up to date with the latest definitions.

In order to push users to visit these sites, the attackers have mounted email campaigns in the hope that recipients will click through to the site. However, this remains at a relatively low level. ‘We haven’t seen any significant ones,’ said Cluley, ‘Apart from a couple of isolated incidents.’

Steve Manzuik of eEye Digital Security’s Research Team told us yesterday that there were already ‘a number of proof of concept exploits as of this morning on the web.’ He said that ‘The handful I have looked at are non-malicious in their nature as they are a simple DoS or they launch Calc.exe. That being said, there are rumours of the Delf-DH Trojan downloader starting to gain a bit or momentum but all the major AV companies rate it as a low risk with minimal propagation. I am working on confirming how the Delf-DH trojan is propogating right now but I suspect that it is the window() issue being used.’

The ‘window()’ issue refers to the Internet Explorer vulnerability being used to download the virus code from malicious websites. The flaw was first thought to have relatively trivial effects – causing the browser to crash. But just over a week ago UK company Computer Terrorism published proof-of-concept code that showed how the vulnerability can be exploited to download and run code onto a target system remotely.

The public nature of this revelation meant that Microsoft has not had time to build a patch to fix the issue, while the virus community has spent this time creating attacks. Indeed the company said on Wednesday they had been made aware of malicious code being available. Now it is being used.

Cluley had mixed feelings about how this affair has played out. ‘Well, Microsoft clearly didn’t examine [the vulnerability] in enough depth to begin with, but at the same time I’m sympathetic to them as it wasn’t disclosed responsibly,’ he said.

Cluley told us that more viruses using the exploit to propagate had been discovered since this morning’s initial alert. Manzuik gave us a short list of websites he says will exploit the vulnerability if visited, and Cluley said that he expects increased activity over the next few days.

Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.

Todays Highlights
How to See Google Search History
how to download photos from google photos