Attackers flock to Internet Explorer VML exploit

Malware toolkits are making it simple to exploit the Microsoft IE vulnerability

Security experts have warned of a sharp hike in the number of cyber-criminals actively exploiting the newly discovered VML vulnerability in Microsoft's Internet Explorer.

"More and more sites are using this exploit code," McAfee's Avert Labs virus researcher Craig Schmugar told vnunet.com. 

Inclusion of the exploit in a malware toolkit known as 'WebAttacker' has made it easier to implement, according to Schmugar.

"[WebAttacker] is known for making it easier for someone with less skill to use this toolkit to install their payload," he said.

"Tools have been posted to be able to plug in a URL and build an exploit that downloads and executes the file of choice."

Reports surfaced last Wednesday of an unpatched vulnerability in Internet Explorer's Vector Markup Language that could allow attackers to take control of a system. 

The vulnerability was first exploited through a group of adult websites hosted in Russia.

Over the weekend an existing data phishing operation started using the VML exploit in an effort to steal log-in data for financial websites, Roger Thompson, chief technology officer at Exploit Prevention Labs, told vnunet.com. 

The group sends out weekly spam emails informing recipients that they have received a digital card through Yahoo Greetings. 

While users eventually arrive at the Yahoo website, they are first taken past an exploit server that infects their system with a Trojan.

The Trojan is designed to collect all information used in online forms, allowing the attackers to collect log-in details for banking websites and online payment services such as PayPal.

The attackers have been active for four to five months. Prior to exploiting the VML vulnerability, they targeted a critical security hole in the Microsoft Data Access Components in Windows that was repaired in April. 

Even when the group was targeting the patched vulnerability, the attackers harvested 200MB of data every week, according to Thompson's research.

He predicted that the group will ensnare even more victims now that it has started exploiting the unpatched VML exploit.