Pop-up Trojan starts new bug war

A piece of malicious code that exploits currently unpatched security vulnerability in Windows, has emerged on the internet, infecting enough users to cause concern among some anti-virus experts.

It is not viral, but users are being infected through a banner ad that pops up when users visit pages at a certain web-hosting provider.

Network Associates Inc [NET] named the code, technically a Trojan, QHosts-1. It infects Windows 2000 and XP machines by exploiting vulnerability in Internet Explorer that was publicized by Microsoft Corp [MSFT] in August, but has yet to be patched.

The Object Type Vulnerability, outlined in Microsoft security bulletin MS03-32, is in how later versions of IE handle objects downloaded from web pages. Exploited correctly, it allows attackers to run code of their choice on target PCs.

In this case, the attacker is exploiting the vulnerability to launch pop-up ads on a victim’s PC, presumably with the intention of enriching themselves from click-throughs on some affiliate advertising program.

Microsoft said it had patched this flaw on August 20, but in early September updated its advisory to state that the patch did not in fact correctly fix the vulnerability. The company has not issued an updated patch since that time.

The CERT Coordination Center, which tracks attacks and vulnerabilities, warned yesterday in an incident note that attackers are actively exploiting the IE vulnerability, though it did not refer specifically to QHosts.

According to NAI, the Trojan configures the Windows registry and the hosts file used in DNS resolution, to redirect web browsers to a site evidently controlled by the attacker whenever they try to access certain web search engines.

The Trojan also sets up infected machines to get all their DNS services from these EV1 servers. This can cause some applications that rely on local DNS to stop functioning properly.

The infection mechanism for QHosts was being delivered by a banner ad displayed at FortuneCity.com, but the ad and the malicious code was hosted at ev1.net.

Texas-based web host Everyone’s Internet Inc, the owner of the ev1.net domain, said that it had located a user account that was the source of the problem and terminated it.

This article was based on material originally published by ComputerWire.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing