There is a widespread attack underway against an unpatched vulnerability in the Msvidctl DLL, with attackers using thousands of newly compromised Web sites to exploit victims’ PCs via drive-by downloads. The attacks are using Internet Explorer as the attack vector and are pushing a Trojan downloader onto compromised machines.
The attacks are using injected iFrames and redirecting users to the compromised sites, many of which appear to be in China, experts say. The vulnerability the attacks are exploiting is not the zero-day flaw in Microsoft’s DirectShow component, as was previously reported. Instead, the attacks are going after an undisclosed bug in Msvidctl.dll, a DLL that’s associated with streaming video content on the Web.
Once a machine is compromised, the attackers are pushing a Trojan downloader program to the victims’ PCs. The malware that is being pushed is already detected by many antimalware programs. The SANS Internet Storm Center recommends setting the killbit on the vulnerable DLL to protect against the attack.
Microsoft has set up a page with information on how to work around the vulnerability and FixIt tool to set the killbit automatically, preventing exploitation of the flaw.
Microsoft also has released an advisory on the Msvidctl.dll vulnerability and said it is investigating the issue. The company said users of Windows XP and Windows 2003 should disable the affected ActiveX control. From the advisory:
Our investigation has shown that there are no by-design uses for this ActiveX Control in Internet Explorer which includes all of the Class Identifiers within the msvidctl.dll that hosts this ActiveX Control. For Windows XP and Windows Server 2003 customers, Microsoft is recommending removing support for this ActiveX Control within Internet Explorer using all the Class Identifiers listed in the Workaround section. Though unaffected by this vulnerability, Microsoft is recommending that Windows Vista and Windows Server 2008 customers remove support for this ActiveX Control within Internet Explorer using the same Class Identifiers as a defense-in-depth measure.
Customers may prevent the Microsoft Video ActiveX Control from running in Internet Explorer, either manually using the instructions in the Workaround section or automatically using the solution found in Microsoft Knowledge Base Article 972890. By preventing the Microsoft Video ActiveX Control from running in Internet Explorer, there is no impact to application compatibility.
The attacks against the Msvidctl.dll are following in the footsteps of the attackers who have been using SQL injection to compromise thousands of legitimate sites for the last year or so. The specific attack vector is different, but the idea is the same: compromise a large number of sites, attract vulnerable users and install your malware.
This has proven to be a very lucrative and effective attack method of late, and has been used to push all sorts of malware. Attackers can install keyloggers, Trojans or whatever other programs they choose once they’ve exploited a given PC. That much hasn’t changed. What has is the variety of vectors that attackers have at their disposal for these attacks. The number of sites that are vulnerable to SQL injection is incalculable, and many sites that are cleaned once are reinfected over and over, researchers say.
The SANS Internet Storm Center also has put together a running list of all of the domains that currently are exploiting the vulnerability. The list contains a few dozen domains right now, and there also is a separate list of domains that are pushing the binary to compromised machines.