VML Exploit Growing In Severity

The VML exploit is growing quickly and a mass email attack could be just days away, warn security experts who are tracking the problem.

The exploit was first discovered early this week by Sunbelt Software. The exploit is a buffer overflow in the Vector Markup Language (VML) library that allows for remote code execution.

However, the real danger is that it could infect a computer without the user doing anything. All you had to do was have the preview pane turned on in Microsoft Outlook and that would be enough to launch the exploit. The preview pane would render the script in an email, and a script could be written to cause the buffer overflow.

VeriSign iDefense has been watching for VML attacks and saw some light traffic, but on Thursday morning, “our board lit up like a Christmas tree,” said Ken Dunham, director of the rapid response team at VeriSign.

At least 18 networks have been compromised by attacks, including one domain host provider that had over 500 domains modified to redirect users to a hostile VML exploiting Web site.

The hackers behind that hijacking knew what they were doing, according to Dunham. He said they exploited a PHP vulnerability and when the administrators logged in, the exploit erased all files to cover its tracks.

There have been three types of attacks, two of which are simple execution of the exploit code and the third a more unique adaptation of the code. The latter is more troublesome, as once the skilled hackers figure out how to use it, there will be some creativity applied.

“Since organized crime is behind most of these, they have to test their software to make sure it’s detected by as few antivirus programs as possible. So they have to finish their QA process just as Microsoft is testing their patch of the exploit,” said Randy Abrams, director of technical education for antivirus vendor ESET Software.

The criminals behind it are mostly Russian mafia and Asian syndicates, and their goal is information theft. They won’t just take the proof of concept code circulating among script kiddies, they will make their own exploit that antivirus and anti-spyware programs won’t detect, he said.

“Once that happens you’ll start to see widespread mailings. This is very well-funded stuff and they want the most bang for their buck, so they’re going to test and make sure they can get past everything they can,” said Abrams.

Abrams said he saw one case where a VML exploit directed the user to a Web site that tried to download 30 different pieces of malware,  such as form capture bots  and keystroke loggers.

And now the exploit is moving to email. Dan Hubbard, vice president of security research at WebSense, which develops security products that operate at the hardware level, said on Thursday a southeast Asian hacker gang sent out a widespread email to thousands of potential victims.

“These people are good and have infected people before,” said Hubbard. Now that hackers are getting their arms around the VML code, he expects smarter attacks to come.

“I would say that soon there will more than likely be a widespread spam campaign in Europe, or the U.S., with a deception technique that gets people to click on a link. Monday [September 25] is a good candidate for that,” said Hubbard.

A Microsoft  spokesperson said the company has not changed its plans to issue a patch on October 10, the date of its monthly patch. iDefense is encouraging people to take a number of steps in advance of the patch.

This includes disabling JavaScript, since some attacks utilize JavaScript to launch the attack, using a non-IE browser, disabling the preview pain in Outlook, and most importantly, disabling the VML DLL in the computer.

This is done by running the following command from the Windows command line: regsvr32 -u “%ProgramFiles%Common FilesMicrosoft SharedVGXvgx.dll”. Do that, and the library cannot be called by any exploit.

Some security experts have made a work-around patch, which does essentially the same thing. The work-around unregisters the DLL, patches the vulnerability and re-registers it. However, both Dunham and Abrams cautioned that there is always the possibility for incompatibility with other applications and Microsoft’s official patch when it’s released.

Hubbard says every indication is that the VML exploit will be as severe as the WMF exploit from earlier this year, if not worse. “The exploit was found, proof of concept came out, people do copycats, attacks gets upgraded — just like what happened in WMF,” he said.

The potential for it to be much bigger is that there are a lot of sites with WebAttacker in them already. WebAttacker is a spyware  creation kit that simplifies launching attacks on computers. VML doesn’t have to do anything more than simply refer a compromised computer to a server with WebAttacker and WebAttacker does the rest.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web