September 20th, 2006
Spyware pushers cash in big on zero day exploit
I expect that most readers have already read about the latest zero day exploit, Microsoft Vector Graphics Rendering Library Buffer Overflow, discovered by Adam Thomas of the Sunbelt Software research team on Monday. I’m not going into detail on it — there is plenty of information about the exploit already, on ZDNet here, Secunia, US-Cert, SANS, and Microsoft Security Advisory (925568). George Ou has blogged that hardware enforced DEP stops the exploit from launching. A BleedingSnort signature has been created for the VML exploit.
SocketShield from Exploit Prevention Labs is said to block the exploit. SocketShield has a 30-day trial and the free Link Scanner on their website will check any URL for the exploit code. Sleazy porn sites are using this vulnerability to drop massive spyware on unsuspecting users. Roger Thompson of Exploit Prevention Labs called it a "massive malware run" with "drive-by attacks hosing infected machines with browser tool bars and spyware programs with stealth rootkit capabilities."
SunbeltBLOG lists nearly 50 threats being installed though this exploit, including familiar names like Virtumonde, BookedSpace, webHancer, SurfSideKick, Qoologic (also known as Qoolaid), Zenotecnico, TagAsaurus, with some trojan downloaders and a backdoor thrown in the mix. Many of these use affiliate programs where the affiliate gets paid per install, so somewhere affiliates of these adware/spyware companies are making a killing off this zero day exploit, trashing computers with their crapware. I have not tested this exploit yet, but it sounds like kind of payload that would render the machine nearly useless.
