TrendLabs takes an in depth look at the recent Internet Explorer Exploit, HYDRAQ, which enabled an attack on Google and many other corporations.

1. Web Attack Bulletin
SM
Zero-Day Internet Explorer
Exploit Downloads HYDRAQ
Background of the Attack
We have been receiving several reports and inquiries surrounding a series of attacks that exploit FROM THE FIELD: EXPERT INSIGHTS
an application vulnerability to download HYDRAQ variants onto infected computers. Awareness
about the attacks that first manifested as targeted against individuals increased when the code
used in them was made public. These attacks leverage a vulnerability in all versions of Internet • “[The confusion] lies in the fact that the
Explorer (except IE 5.0) that has since been patched on January 21. For patch information, users exploit code has been evolving these
are advised to refer to this Microsoft Web page. past couple of days. The malicious scripts
still point to the final payload. It’s like
JS_DLOADER is the first generation, JS_
ELECOM the second. And now we’re seeing
HTML_COMLE as the third.”
—Trend Micro Network Architect Paul
Ferguson on the evolution of the IE exploit
and the perception that numerous attacks
are ongoing
• “Technically... they are unrelated. But the
fact that they happened at the same time
decreases the possibility that they are
completely unrelated.”
—Trend Micro Network Architect Paul
Ferguson on the relationship of the IE
exploit with the Adobe exploit used in earlier
targeted attacks
• “If [the users] patch... But even then, this
exploit will still likely be around for a long
time. The vulnerability affects IE regardless
of the Windows version. And some
companies are still using default IE browser
installations and cannot simply upgrade
Frequently Asked Questions because of the way their operations work.”
What happens in this attack? —Trend Micro Research Manager Jamz
Yaneza on whether the upcoming release of
Users may either receive spam or other inbound online communication that may lead them to a security patch will lessen the impact of the
various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry IE exploit
exploits so they can execute code on the vulnerable computer without the visitor’s knowledge.
These exploits target a vulnerability in a widely used application for which, during the height of the
attacks, there was no security update yet. Once the exploit is triggered by visiting the malicious
site, a backdoor is downloaded onto the computer without the visitor’s knowledge.
The diagram above illustrates the known versions of this attack, each of which appeared one after
another. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and
so forth. Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected
WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 1 of 2

2. TREND MICRO | TRENDLABS ZERO-DAY INTERNET EXPLORER EXPLOIT DOWNLOADS HYDRAQ
as the JS_ELECOM.SMA-JS_ELECOM.SMB tandem. JS_DLOADER.FIS and the JS_ELECOM.SMA-JS_ RELATED BLOG ENTRIES
ELECOM.SMB tandem take advantage of CVE-2010-0249 to connect to URLs to download different
variants of HYDRAQ malware.
• New IE Zero-Day Exploit Attacks Continue
Why is this threat especially dangerous? • Cyber Attacks on Google and Others—Who
Is Really at Risk?
Systems affected by this threat are compromised in such a way that the attackers who successfully
exploit the vulnerability could take complete control of an affected system (e.g., install programs or • Trend Micro Proactively Helps Protect
view, change, or delete data or create new accounts with full user rights). Against Zero-Day Attacks Like the Recent IE
Exploit
Am I at risk?
This attack is no longer targeted in nature. While the initial evolution of this attack was directed RELATED VULNERABILITY
toward certain individuals, now that the code is accessible to everyone, cybercriminals can use
this in their own attacks. Therefore, if you have been attacked and the browser you are using
is vulnerable then your computer will perform the malicious routines of the Trojan payloads. • Microsoft Internet Explorer DOM Operation
These include connecting to several URLs, which may also host other malicious elements, and Memory Corruption Vulnerability (979352)
reassigning control of the computer to malicious attackers. A sample serving of the full range
of malicious routines that can be performed on your computer can be found in the technical
description for TROJ_HYDRAQ.SMA.
RELATED MALWARE
Is upgrading to the latest IE version enough to keep me from being
• JS_DLOADER.FIS
affected?
• JS_ELECOM.C
• JS_ELECOM.SMA
No. The attack is continuously evolving. Performing the workaround provided by Microsoft is
highly encouraged. However, enabling “Data Execution Prevention (DEP)” in IE versions where it is • JS_ELECOM.SMB
not enabled by default will only protect you from the publicly known exploits. There have already • TROJ_HYDRAQ.K
been reports of an exploit variant that can bypass “DEP.” It is best to apply the out-of-band patch • TROJ_COMELE.AJ
at once.
• TROJ_HYDRAQ.SMA
So what can I do to protect my computer?
ONLINE VERSION
Applying the appropriate IE patch mentioned here is crucial in protecting your system. It would
also be prudent to (1) update to the latest IE version, (2) make sure that “DEP” is enabled, and (3)
This is a developing story. Updates are
use IE in protected mode (in Vista and Windows 7). Users are likewise advised to consider disabling
made to the online version of this document
JavaScript.
as more information becomes available. The
online version can be found at the Threat
Furthermore, Trend Micro customers receive up-to-date protection via the Smart Protection
Encyclopedia Zero-Day Internet Explorer
Network™. File reputation service detects and inhibits the download of malicious files detected
Exploit Downloads HYDRAQ special Web
as JS_DLOADER.FIS, JS_ELECOM.C, TROJ_HYDRAQ.SMA, TROJ_HYDRAQ.K, JS_ELECOM.SMA,
attack page.
JS_ELECOM.SMB, and TROJ_COMELE.AJ. Web reputation service likewise prevents access to
malicious URLs. Lastly, Trend Micro OfficeScan™ users with Intrusion Defense Firewall (IDF) plug-in
are also protected from this attack if their systems are updated with IDF1003879 and IDF1003909
filters.
SM
©2010 by Trend Micro, Incorporated. All rights reserved. TrendLabs is Trend Micro’s global network of research, development, and action centers committed to 24/7 threat surveillance, attack
Trend Micro, the Trend Micro t-ball logo, InterScan, prevention, and timely and seamless solutions delivery. With a 1,000-strong staff of experts and round-the-clock operations, it stays at
NeatSuite, OfficeScan, and ScanMail are trademarks or the forefront of the Internet security industry and serves as the backbone of Trend Micro’s service infrastructure. With accurate, real-
registered trademarks of Trend Micro, Incorporated. All time data, TrendLabs delivers more effective security measures designed to detect, preempt, and eliminate attacks.
other product or company names may be trademarks or
Headquartered in the Philippines, TrendLabs is the only multinational research and development center with an extensive regional
registered trademarks of their owners.
presence, with labs in the United States, Japan, France, Germany, and China.
www.trendmicro.com
WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 2 of 2