In-Depth

Alerts: New IE Exploit Hacks DNS; Kaspersky Labs' Top Ten Viruses for September

Anti-virus vendors report MS patch does not protect against Trojan Qhosts; September's list of top ten viruses

• By Mathew Schwartz
• 10/08/2003

Trojan Qhosts HTML

Trojan.Qhosts HTML, a new exploit now making the rounds, takes advantage of the Internet Explorer "extremely critical" ObjectData vulnerability, announced in August and patched by Microsoft. As various anti-virus companies have warned, however, an earlier iteration of the patch inadequately protected computers. For example, it wouldn't stop this attack.

Note that Microsoft just updated the MS03-32 security update for its object-data vulnerability. Security services firm Secunia warns, however, this latest patch may introduce still new vulnerabilities. "This cumulative patch changes some behavior of DHTML, which in combination with other vulnerabilities or programs such as Windows Media Player could lead to execution of arbitrary code."

In other words, the patch may not be complete. "This change does not seem to fix the problem completely as Microsoft still recommends users upgrade Windows Media Player," says Secunia.

Users without the latest patch could be susceptible to Qhosts. A successful attack redirects a user’s computer to another domain name server (DNS).

The exploit only spreads through HTML Web pages. As Symantec notes, "Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows it to open a viral HTML file on the target computer, so that the script can create and run the malicious executable."

Although a successful exploit of the Windows vulnerability could allow an attacker to run any code on a user’s computer, McAfee Security says that "the purpose of this [T]rojan is [simply] to 'hijack' browser use." For example, any attempts to access Google would be rerouted to another site.

The ObjectData vulnerability has been especially exploited in the past via executable files sent over instant messaging or peer-to-peer programs, an attack vector Symantec says increased 400 percent over the past year.

McAfee notes Qhosts, like all Trojan programs, does not self-replicate. An executable file—which users would have to click on—might redirect users to a Trojan.Qhosts HTML page online, which would then infect their system.

Qhosts installs a file named aolfix.exe on the user’s computer. Aolfix.exe then creates a hidden directory, located at c:\bdtmp\tmp, with a somewhat-randomly-named batch file (which it later deletes). The batch file creates three files, which variously modify the registry. One redirects the computer to another DNS; another, says Symantec, modifies “the hosts file to point many different URLs to the IP specified by the [T]rojan creator.” The intent is to drive users to online advertisements, though the offending servers have been taken offline.

Although Symantec rates the threat of Qhosts as “low,” affected users may be unable to surf the Web until their PCs get patched.

Microsoft Patch: http://www.microsoft.com/windows/ie/downloads/critical/828750/default.asp

Top Ten Viruses for September

Beginning with this issue, Security Strategies will publish a list of the ten most widespread viruses for the month, as reported by anti-virus vendor Kaspersky Labs.

For September, nothing shook the ground in the virus field. The statistical results confirmed that 98 percent of incidents reported were network worms. The other malicious program types are presented episodically: computer viruses caused only about 2 percent of the infections, Trojan programs less than 1 percent.

Among the top viruses we have only one newcomer. "Swen" appeared in mid-September (see http://info.101com.com/default.asp?id=2943). Due to the date of its appearance, it did not succeed in taking first place, but if the trend continues, next month "Swen" is going to beat "Sobig" in the list.

Virus Name and Percentage by Occurrence

• I-Worm.Sobig 44.75%
  
• I-Worm.Swen 36.50%
  
• I-Worm.Mimail 6.50%
  
• I-Worm.Klez 2.52%
  
• I-Worm.Lentin 2.35%
  
• I-Worm.Tanatos 0.81%
  
• I-Worm.Dumaru 0.68%
  
• Worm.Win32.Lovesan 0.35%
  
• Worm.P2P.SpyBot 0.14%
  
• Win95.CIH 0.11%