Internet Explorer under attack ...even if not in use
New spyware affects browser without it being opened
By Matthew Broersma | Techworld | Published: 17:54, 17 March 2005
With the number of non-Internet Explorer (IE) browsers expanding rapidly, a new spyware attack has surfaced that uses Java to infect IE even when the browser isn't being used at the time.
The result, says a researcher, is that even users of browsers such as Mozilla, Firefox and Avant can find their Windows operating system and Internet Explorer browser infested with malicious code. While limited in its effectiveness, the attack is significant because it represents a shift away from the use of browser-specific technology as an attack vector, said some security experts.
Previous attacks have often used technology such as ActiveX which can only interact with IE; many users have switched away from IE specifically to get away from such technologies.
News of the attack first surfaced on a Web forum and was later investigated by Christopher Boyd of Vitalsecurity.org, a UK-based security news site. When users visit an infected site, they are asked to install a Java applet distributed by "Integrated Search Technologies".
If the user agrees, a .jar file is downloaded, which proceeds to download and install a number of adware applications, according to Boyd. Internet Explorer then automatically opens, displaying advertisements and embedded advertising tools. The attack works regardless of IE's security settings, Boyd said. The installed adware includes DyFuCA, Internet Optimizer, ISTsvc, Kapabout, sais (180 Solutions), SideFind and Avenue Media, he said.
Several factors limit the seriousness of this particular attack. It only works with Sun's Java Runtime Environment, not that made by Microsoft. The Java dialogue box warns that the applet's security certificate was issued by a company that is "not trusted", and that the certificate "has expired or is not yet valid". However, such warnings will not necessarily keep users from installing the applet, particularly if it appears on an innocuous site, Boyd said. The applet turned up on a site distributing Neil Diamond lyrics.
The installer works on Firefox, Mozilla, Netscape and Avant, but was blocked on NetCaptor and Opera, Boyd said. "Only two out of six had the good sense to steer clear of even asking the user if they wanted to install the applet," Boyd wrote on Vitalsecurity.org.
Not everyone agrees the attack is any cause for concern. Mike Healan, of anti-spyware site SpywareInfo, said Java attacks are nothing to worry about because applets always generate a warning before installing code that runs outside the Runtime Environment's "sandbox", its security-protected area. "Personally, I don't see this installer as a problem. It can't do anything unless the user ignores a very stern security warning," he said in a comment on the site.