Vulnerability, Virus, No Patch
21 May 2003
Trojan program infects computers by exploiting an Internet Explorer vulnerability
Kaspersky Lab, an international data security software developer, reports the appearance of the Trojan program, 'StartPage' - the first malware to infect computers via the "Exploit.SelfExecHtml" vulnerability in the Internet Explorer security system. Making infection particularly dangerous is the fact that Microsoft has yet to release the required patch, essentially leaving users defenseless in the face of this and other, potentially more dangerous threats choosing to exploit the very same vulnerability.
StartPage is a classic Trojan - it is sent to victim addresses directly from the author and does not have an automatic send function. The first mass mailing to several hundred thousand addresses was registered in Russia on May 20. The text accompanying the Trojan program is written in Russian and clearly indicates the program's birthplace as either Russia or the former USSR.
The StartPage program is a Zip-archive that contains two files - one HTML file and one EXE file. Upon opening the HTML file the StartPage code is launched and proceeds to exploit the Internet Explorer security system vulnerability known as "Exploit.SelfExecHtml". It then proceeds to clandestinely launch the EXE file carrying the Trojan program.
"It is hard to call this program dangerous, its collateral effects include only the altering of an old Internet Explorer page. Still, StartPage has set a precedent with its usage of a vulnerability for which there is not yet a patch", commented Eugene Kaspersky, Head of Anti-virus Research at Kaspersky Lab.
According to Kaspersky Lab statistics, over 85% of virus incidences in 2002 were caused by malicious programs such as 'Klez' and 'Lentin' that exploit the IFRAME Internet Explorer vulnerability, which was discovered over two years ago, and thus users have had plenty of time to install the patch and protect themselves against any similar virus appearing in the future.
"With StartPage we are dealing with an open vulnerability. Users can protect themselves with anti-virus software, but not all of them have strong heuristic technology to protect against future viruses", continued Eugene Kaspersky. "A new vulnerability has been exposed that may incite the creation of a multitude of new malware that could lead to new epidemics of a global scale."
The following programs are vulnerable to the "Exploit.SelfExecHtml" breech:
- Microsoft Internet Explorer 5.0 for Windows 2000
- Microsoft Internet Explorer 5.0 for Windows 95
- Microsoft Internet Explorer 5.0 for Windows 98
- Microsoft Internet Explorer 5.0 for Windows NT 4.0
Kaspersky Lab appeals to Microsoft to make a strong effort to release the necessary patch, as soon other malicious programs will appear that exploit the very same technology. If a solution is not provided soon we can expect a long lasting, large-scale epidemic that could surpass even the Klez epidemic.