No Patch Yet for Internet Explorer Qhost-1 Trojan

Once again, computer attackers are taking advantage of a recent vulnerability — this time an unpatched flaw in Microsoft’s widely used Internet Explorer browser — to have their way with vulnerable Windows machines through malicious programs known as Trojans.

The software security holes that affect Internet Explorer versions 5.01 through 6.0, first disclosed in August, have been the basis for several attacks that reportedly consist of efforts to cash in on redirected Web traffic.

Security experts had mixed views about the severity of the Trojans, which were not significantly widespread, but they agreed that exploitation of new software vulnerabilities through several methods and attacks is definitely on the rise.

“The Trojan authors and use [of Trojans] is on the increase because it’s so easy to deploy, so easy to make undetectable and easy to use in conjunction with new vulnerabilities,” iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

Trojan Army

Referring to several recent reports about new Trojans, including the most recent high-profile Trojan called Qhosts-1, Dunham said the malware code is activated when users visit malicious Web sites using Internet Explorer.

While spread of the Trojans has been limited — by most accounts — Dunham pointed to a cumulative effect from the onslaught of exploit code that targets recent software weaknesses.

“It’s a lot bigger than people realize, and it’s been going on since September, so it’s a problem,” he said.

Surfing Unsafe

ISS X-Force research engineer Neel Mehta said the chances of Qhost-1 becoming a huge issue are remote, but he told TechNewsWorld that the Trojan program does highlight the “seedier side of the Web” and attackers’ attempts to exploit software vulnerabilities for their own use.

Calling the malicious software a “zero-day exploit” — meaning there is no patch for the problem — Mehta said such exploits are relatively rare and have had significant impact in the past.

“While surfing the Web may be considered a safe activity, it’s really not anymore,” the security researcher said. “Even if you’re up to date [on patches], you’re not necessarily safe.”

Bunk Browser

Microsoft, which rated the vulnerability as critical and tried to patch it in August, has yet to issue an updated fix for the problem, which could yield control of a computer when users visit hostile Web sites or open HTML-based e-mail messages.

Users were advised to disable ActiveX controls and plug-ins in their Internet Explorer browsers or aggressively block ActiveX controls on untrusted sites. However, the disabled components could render the browser useless when it comes to advanced features on many trusted Web sites, according to Mehta.

Dunham, who said that further disabling the ActiveX scripting is required to guard against newer Trojans, recommended using an alternative browser, at least until there is a patch — “just because it’s so easy to be attacked.”

Corrupt Code for Cash

The use of back-door Trojans — software programs that quietly cede control of a machine to an unknown attacker — is on the rise. In a security report this week, Symantec said submission of malicious code that includes the Trojan programs, which can be used in networked attacks or to perpetrate identity theft, rose 50 percent in the first half of 2003 compared with 2002.

Security experts agreed that the Trojan appears to be an effort to make money by generating traffic to certain Web sites. Dunham, who said the author’s motive was petty theft, warned of criminal activity associated with Qhost-1 and other Trojans, which are increasing in severity.

“Not only are we seeing a lot of [Trojan] attacks, but over time, the attackers are upgrading their work because it’s been so successful,” he said. “You choose the vector, you’re going to have success because you’re going to hit a high number of people.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels