Skip to main content

Internet Explorer Zero-Day Malware Targets U.S. Bigwigs

Oleg Doroshin/Shutterstock

Oleg Doroshin/Shutterstock

Sophisticated online spies have rigged a politically influential American website with malware exploiting a brand new flaw in Microsoft Internet Explorer, immediately infecting visitors who use that family of browsers.

Microsoft will be patching the flaw in today's round of Patch Tuesday software updates, but you might want to install and run some of the best antivirus software if you haven't already.

The malware has been linked to some of the most notorious Chinese cyber-espionage campaigns of recent years, including the Operation Aurora series of data breaches that hit dozens of major American corporations, according to data posted online by researchers from Milpitas, Calif.-based security firm FireEye.

"The attackers inserted this zero-day exploit into a strategically important website, known to draw visitors that are likely interested in national and international security policy," a FireEye blog posting said over the weekend.

MORE: Best Android Antivirus Apps

Fortunately, Microsoft was already on the case.

"We have confirmed that this vulnerability is an issue already scheduled to be addressed" in November's round of monthly security patches, wrote Microsoft Trustworthy Computer manager Dustin Childs in a Microsoft blog posting yesterday (Nov. 11).

The FireEye team did not name the corrupted website. A similar attack in December 2012 rigged the website of the Council on Foreign Relations, an influential think-tank whose members include current and former U.S. presidents, congressmen and secretaries of state.

A zero-day exploit attacks a previously unknown software flaw, leaving security professionals zero days to prepare for it. Most anti-virus software will not catch zero-day exploits without a malware-definition update.

This new malware is not connected to a separate Microsoft zero-day exploit that infects Microsoft Office and which is currently being used by Indian cyberspies against Pakistan, and which will not be patched in this month's scheduled round of updates.

This new malware, which FireEye is calling Ephemeral Hydra, is so stealthy that its payload, a variant of a previously seen Trojan, doesn't even install itself on the computer's hard drive. Rather, the payload directly infects a PC's running memory and quickly spreads to any connected organizational network. If an infected machine is rebooted, the malware is erased without a trace.

"The fact that the attackers used a non-persistent first-stage payload suggests that they are confident in both their resources and skills," the FireEye researchers wrote. "As the payload was not persistent, the attackers had to work quickly, in order to gain control of victims and move laterally within affected organizations."

Analysis of the malware's payload revealed that it shared a command-and-control domain with the "Deputy Dog" espionage campaign. That campaign used a different Internet Explorer zero-day exploit to attack Japanese and Taiwanese bank and government websites from August through October.

The payload also shares components with malware used in the attack in February 2013 on Waltham, Mass.-based security firm Bit9, and with the massive Operation Aurora spying campaign of 2009.

The Aurora attackers, thought to be the Chinese state-sponsored Elderwood group, penetrated the networks of Google, Adobe and Rackspace, as well as those of some 80 other technology, financial, energy and defense companies that never confirmed their involvement. (Google was one of the few companies to confirm it had been hacked, and left the mainland Chinese market as a result.)

Rigging a website of special interest to a particular group is known as a "watering hole" attack. A similar attack involving a rigged forum for mobile-app developers infected the corporate networks of Apple, Facebook, Microsoft and Twitter in January 2013.

The watering-hole attack last December against the Council on Foreign Relations has also been tied to the Elderwood group.

The new malware affects Internet Explorer 7, 8, 9 and 10 on Windows XP and 7. It's not yet clear whether Windows Vista or 8, or Internet Explorer 11, are also affected. Macs obviously are not, but Mac users should still use some of the best Mac antivirus software.

The patch for the flaw will be applied today or tomorrow to all Windows users who have enabled automatic updates in the Windows Update utility. Until then, users of Internet Explorer can either switch to another browser or lock down Internet Explorer with Microsoft's Enhanced Mitigation Experience Toolkit.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.