UPDATE: How To Patch IE Against the Qhost-1 Trojan

While computer attackers are taking advantage of a recent vulnerability in Internet Explorer, Microsoft has yet to release an update that can patch exposed systems. However, there are workarounds that users can employ to protect their systems.

The software security holes that affect Internet Explorer versions 5.01 through 6.0, first disclosed in August, have been the basis for several attacks that reportedly consist of efforts to cash in on redirected Web traffic. Security experts have mixed views about the severity of the Trojans, but they agreed that exploitation of new software vulnerabilities through several methods and attacks is definitely on the rise.

“The Trojan authors and use [of Trojans] is on the increase because it’s so easy to deploy, so easy to make undetectable and easy to use in conjunction with new vulnerabilities,” iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

Referring to several recent reports about new Trojans, including the most recent high-profile Qhosts-1 Trojan, Dunham said the malware code is activated when users visit malicious Web sites using Internet Explorer.

Protecting Internet Explorer

In lieu of a direct patch, Microsoft has proposed a workaround that consumers can implement until a new patch is released.

“You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX components,” Microsoft said in a recently updated version of the security bulletin that originally disclosed the critical vulnerability in Internet Explorer 5.01, 5.5, and 6.0.

To force IE to present a prompt before executing an ActiveX control, in Internet Explorer, select Tools menu, then select Internet Options and click on the Security tab. Highlight the Internet icon and click on the Custom Level button. Then scroll through the list to the ActiveX controls and plug-ins section. Under the “Run ActiveX controls and plug-ins” section, click the checkbox to have IE prompt you before running an ActiveX control.

Then click OK, highlight the Local Intranet icon and click on the Custom Level button. Scroll through the list to the “Run ActiveX controls and plug-ins” section and repeat the settings for the Internet security.

When you go to a site that you trust, your Internet Explorer browswer will now prompt you to run any ActiveX controls that it encounters.

Microsoft has said that users should always add the Windows Update site to the Trusted site section of Internet Explorer, because this is the URL that will host the patch when it becomes available — and it uses an ActiveX control to install the patch.

Trojan Army

While spread of the Trojans has been limited — by most accounts — Dunham pointed to a cumulative effect from the onslaught of exploit code that targets recent software weaknesses.

“It’s a lot bigger than people realize, and it’s been going on since September, so it’s a problem,” he said.

ISS X-Force research engineer Neel Mehta said the chances of Qhost-1 becoming a huge issue are remote, but he told TechNewsWorld that the Trojan program does highlight the “seedier side of the Web” and attackers’ attempts to exploit software vulnerabilities for their own use.

Calling the malicious software a “zero-day exploit” — meaning there is no Microsoft patch for the problem — Mehta said such exploits are relatively rare and have had significant impact in the past.

“While surfing the Web may be considered a safe activity, it’s really not anymore,” the security researcher said. “Even if you’re up to date [on patches], you’re not necessarily safe.”

Critical Vulnerability

Microsoft rated the vulnerability as critical and did try to patch it in August, but the company has yet to issue an updated fix for the problem, which could yield control of a computer when users visit hostile Web sites or open HTML-based e-mail messages.

The use of back-door Trojans — software programs that quietly cede control of a machine to an unknown attacker — is on the rise. In a security report this week, Symantec said submission of malicious code that includes the Trojan programs, which can be used in networked attacks or to perpetrate identity theft, rose 50 percent in the first half of 2003 compared with 2002.

Security experts agreed that the Trojan appears to be an effort to make money by generating traffic to certain Web sites. Dunham, who said the author’s motive was petty theft, warned of criminal activity associated with Qhost-1 and other Trojans, which are increasing in severity.

“Not only are we seeing a lot of [Trojan] attacks, but over time, the attackers are upgrading their work because it’s been so successful,” he said. “You choose the vector, you’re going to have success because you’re going to hit a high number of people.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

CRM Buyer Channels