Latest Malware Attack Targets English Versions of IE

Security firm FireEye (News - Alert) recently discovered a zero-day malware designed to exploit software vulnerabilities in versions 7-10 of Internet Explorer (IE). The attacks are especially troublesome because of the difficulty detecting them using traditional security procedures.

Computers become infected whenever a user visits an infected website. One of the attacks the malware uses is return-oriented programming (ROP), which takes over a program’s call stack to execute malicious codes.

Applications can often be complex and developers manage the complexity by dividing tasks into subroutines, which are invoked by higher-level code. Internally, addresses of the subroutines are kept on the stack, making it possible for a program to run a subroutine, end it and return to the code that invoked the subroutine.

ROP attacks install malicious subroutines on a vulnerable computer and stuffs the addresses of these routines into the stack. The malicious routines are invoked when a compromised program (such as IE) executes.

The sophistication of the attack is profound as it identifies the version of MSVCRT.DLL used by a computer and installs malware appropriate to that version. MSVCRT.DLL is the Microsoft (News - Alert) Visual C++ Runtime DLL, which contains common functions used by applications. Since many Windows applications are written in Microsoft Visual C++, the opportunities to install the malware are countless.

FireEye recommends using Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) to lessen the severity of potential attacks. EMET recognizes common malware attacks and protects against them, but should be used to complement, but not replace, antivirus software and firewalls.

The latest version of EMET (version 4.0) is available as a free download from Microsoft. It provides Data Execution Prevention (DEP) to prevent malicious processes from being installed into memory set aside for storing data. It also supports Structured Exception Handler Overwrite Protection (SEHOP), Address Space Layout Randomization (ASLR) and Certificate Trust. These features can be turned on individually for applications. It does not require access to source code or recompilation.

Protecting computers against malware has always been a game of one-upmanship between antivirus computers and malware developers. The latest vulnerabilities detected by FireEye are yet another example of how critical it is to keep up to date with service packs and security patches.