Potential of AI (Generative AI) in Business: Learnings and Insights
Web Attack Bulletin: IE Exploit (HYDRAQ)
1. Web Attack Bulletin
SM
Zero-Day Internet Explorer
Exploit Downloads HYDRAQ
Background of the Attack
We have been receiving several reports and inquiries surrounding a series of attacks that exploit FROM THE FIELD: EXPERT INSIGHTS
an application vulnerability to download HYDRAQ variants onto infected computers. Awareness
about the attacks that first manifested as targeted against individuals increased when the code
used in them was made public. These attacks leverage a vulnerability in all versions of Internet • “[The confusion] lies in the fact that the
Explorer (except IE 5.0) that has since been patched on January 21. For patch information, users exploit code has been evolving these
are advised to refer to this Microsoft Web page. past couple of days. The malicious scripts
still point to the final payload. It’s like
JS_DLOADER is the first generation, JS_
ELECOM the second. And now we’re seeing
HTML_COMLE as the third.”
—Trend Micro Network Architect Paul
Ferguson on the evolution of the IE exploit
and the perception that numerous attacks
are ongoing
• “Technically... they are unrelated. But the
fact that they happened at the same time
decreases the possibility that they are
completely unrelated.”
—Trend Micro Network Architect Paul
Ferguson on the relationship of the IE
exploit with the Adobe exploit used in earlier
targeted attacks
• “If [the users] patch... But even then, this
exploit will still likely be around for a long
time. The vulnerability affects IE regardless
of the Windows version. And some
companies are still using default IE browser
installations and cannot simply upgrade
Frequently Asked Questions because of the way their operations work.”
What happens in this attack? —Trend Micro Research Manager Jamz
Yaneza on whether the upcoming release of
Users may either receive spam or other inbound online communication that may lead them to a security patch will lessen the impact of the
various exploit-ridden URLs. These URLs are specifically designed by cybercriminals to carry IE exploit
exploits so they can execute code on the vulnerable computer without the visitor’s knowledge.
These exploits target a vulnerability in a widely used application for which, during the height of the
attacks, there was no security update yet. Once the exploit is triggered by visiting the malicious
site, a backdoor is downloaded onto the computer without the visitor’s knowledge.
The diagram above illustrates the known versions of this attack, each of which appeared one after
another. The infection path using JS_DLOADER.FIS appeared first, followed by JS_ELECOM.C and
so forth. Subsequent exploit codes appearing after JS_ELECOM.C in this attack are now detected
WEB ATTACK BULLETIN I JANUARY 25, 2010 Page 1 of 2