Security experts say a Trojan horse directed traffic from popular Web sites to an IP address designated by the attacker.
Vulnerabilities in Microsoft"s Internet Explorer Web browser have been exploited again, security experts said on Thursday, this time by a Trojan horse that redirected traffic from more than 100 popular Web sites to an IP address designated by the attacker. The Trojan, dubbed Qhosts and Delude.B by various anti-virus vendors, redirected traffic on compromised machines from a large number of legitimate sites--primarily search engines, among them those found at AltaVista, Google, Lycos, MSN, and Yahoo. According to Computer Associates, requests to surf to those search sites were shunted instead to a Web site that was taken offline within 24 hours of the Trojan"s appearance. "This is another attempt by an attacker, probably the same attacker who wrote the original Delude Trojan earlier this month, to hijack Web sites and potentially profit from that redirection," said Ken Dunham, the director of malicious code for iDefense, a 5-year-old company that specializes in security intelligence and provides information to clients through partners such as British Telecom and Japan"s Itochu Corp.
"It"s definitely another exploit of the vulnerabilities that still exist within Internet Explorer." Qhosts is only the most recent exploit of Internet Explorer vulnerabilities. Starting last week, and continuing over the weekend, others commandeered AOL Instant Messenger accounts and downloaded code that forced users" computers to dial 900 numbers. The flaw in Internet Explorer stems from a problem the browser has in correctly determining Object Types, and was thought to be patched by a fix that Microsoft released on Aug. 20. But that patch hasn"t put a stop to attacks. "Just by surfing the Web with Internet Explorer, attackers can install anything, at will, on your system and you won"t even know it," said Dunham. By exploiting the vulnerabilities, "attackers can use any kind of HTML content to install a Trojan."