Seeker Trojan exploits old Microsoft flaw

Seeker Trojan exploits old Microsoft flaw

Slam Microsoft security all you want, but if the Redmond giant issues a patch and you don't install it, shame on you if your company's system falls victim to a piece of malicious software.

Sophos warned users on Thursday of JS/Seeker-E, an exploit to a vulnerability in Microsoft Virtual Machine (VM) that was discovered and patched in October 2000. The UK antivirus firm had several reports of JS/Seeker-E in circulation, a disturbing indication of lax patching by IT managers, according to Graham Cluley, Sophos' senior technology consultant.

"I don't think this Trojan is as serious as other viruses we have seen recently. It does not replicate and causes little damage," Cluley said. "What is concerning me is that many companies have still not patched against a vulnerability Microsoft went public about 14 months ago!"

Microsoft's patch closes a hole in Microsoft VM (3000 series machines, 3317 or earlier) that could allow an attacker to take remote control of a computer if the vulnerable user was coaxed to visit a malicious Web site.

Microsoft VM for Win32 operating environments ships with Windows 2000, NT 4.0, ME, 98 and 95 as well as Internet Explorer.

The original VM hole could allow an attacker using a Java applet on a malicious Web site to take over a visiting machine. Microsoft VM allows ActiveX controls to be created and manipulated by Java applications or applets, Microsoft said. Normally, this feature is available to standalone Java applications or digitally signed applets. The VM hole allows ActiveX controls to be created and used from a Web page or HTML e-mail without requiring a signed applet, according to the original Microsoft security bulletin.

Seeker exploits the hole by modifying the computer's Internet Explorer settings like the home page and search settings to point to pornographic Web sites, Sophos said.

"It is still a dangerous vulnerability as it allows remote users to perform actions on your computer without your permission if you have not patched your browser," said Cluley.

Seeker writes the following to registry:

HKCU\Software\Microsoft\Internet Explorer

Administrators should delete the malicious file and reset IE settings, Cluley said. Unpatched browsers should be updated and Cluley also suggests that administrators subscribe to Microsoft's security mailing list to stay up to date on such vulnerabilities.

"Javascript itself should be safe -- it's only because there was a hole in Microsoft's implementation that this vulnerability works. Javascript is still very commonly used on websites, and many browsers support it," Cluley said. "Fortunately Microsoft patched the hole. Unfortunately some people haven't put the patch in place."

Dig deeper on Malware, Viruses, Trojans and Spyware

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close