New Download.Ject Attack Hits IM Networks

The Download.Ject malware attack has resurfaced, using the popular
AIM and ICQ instant messaging networks to spread itself.

According to an alert from PivX Labs, the worm targets several known
flaws in Microsoft’s Internet Explorer (IE) browser
to redirect compromised machines to Web sites displaying adult
advertisement and referral links.

PivX Labs described the latest attack as a variant of the
Download.Ject attack,
which hijacked a large number of popular Web sites and used them
distribute malicious programs on infected machines.

The worm was programmed to download and install Trojan horse programs
like keystroke loggers, proxy servers and other back doors, which provided
full access to the infected system.

PivX Labs discovered the latest mutant, which appeared as an
innocuous looking instant message on AIM or ICQ which says: “My
personal home page http://XXXXXXX.X-XXXXXX.XXX/.”

“Once the user clicks on this link, IE opens a
malicious Web site that infects the user through several IE
vulnerabilities, such as Object Data, Ibiza CHM and MHTML Redirect,” the
company said, referring to several known, and still unpatched,
vulnerabilities in the world’s most widely used browser.

Once a system becomes infected, the worm modifies the IE homepage and
search pane and replaces them with a site called TargetSearch and several
browser windows displaying adult advertisement and referral links.

“There are obvious financial motivations behind this worm,” said PivX
researcher Thor Larholm. “This is additional proof that virus writers
are becoming more creative in their efforts to wreak havoc on the
Internet community.”

America Online spokesman Andrew Weinstein made it
clear the latest attack was not the result of a security hole in the
company’s public IM products.

“This is a security issue with Internet
Explorer,” Weinstein told internetnews.com. “But, it points out the importance of being extremely cautious
before clicking on any link in any communication a user receives,
whether in an IM or e-mail.

“We continue to caution our users to avoid clicking on URLs links
from unknown users or links they don’t expect to receive, even if
it’s from someone on their buddy list,” said Weinstein.

Microsoft’s security section contains a page
dedicated to Download.Ject, which contains links to a free virus
removal tool and information on configuration
changes that could minimize the threat.

The software giant has also issued a
patch that promised a comprehensive fix to the core vulnerability, which
led to the Download.Ject attack. But researchers insist that the
browser is a security risk.