Multiple Malware, One Exploit: How HTML_SHELLCOD.SM Operates

Written by: Ryan Angelo Certeza

It is inevitable for vulnerabilities that can be exploited in commercial software to exist.

The reasons for this are innumerable and may range from faulty code to operational conflicts with other commercial software. Vulnerabilities, especially zero-day vulnerabilities, are particularly dangerous due to the potential havoc they can wreak upon unsuspecting, unprotected users. These allow cyber criminals to send commands to an infected system, pushing it to perform unauthorized actions.

It then follows that eagle-eyed cybercriminals looking to further their malicious money-making machinations will seek to exploit all of the vulnerabilities present in the most efficient way possible.

HTML_SHELLCOD.SM, a recently discovered malware that took advantage of a certain vulnerability in Internet Explorer (IE), is a prime example of this in motion. We detect all files targeting the said IE vulnerability as HTML_SHELLCOD.SM. It exemplifies how a single vulnerability can be exploited to allow devastating malware payloads to run on a system or network, including stealing sensitive and confidential information.

How does this threat attack users?

HTML_SHELLCOD.SM may be hosted on certain websites. It runs whenever a user accesses the websites where it is hosted.

What happens when the threat infects a system?

Once HTML_SHELLCOD.SM has successfully taken advantage of the Uninitialized Memory Corruption Vulnerability (CVE-2010-3962) in IE, it connects to various URLs to download other malicious files detected as TROJ_LAMECHI.D, JS_EXPLOIT.ADA, JS_EXPLOIT.SM1, HTML_SHELLCOD.SM, TROJ_DLOADER.DAMPE_PARITE.A, and TSPY_ARDAMAX.HR onto the affected systems.

Other variants of HTML_SHELLCOD.SM are known to execute a command shell to possibly download other files from the hosting site.

How does this threat affect users?

Users of HTML_SHELLCOD.SM-infected systems may find themselves affected by other malware as well, due to the multiple malicious files that can take advantage of this vulnerability.

This malware can render an infected system unusable. Should other malware with backdoor or spyware capabilities exploit the vulnerability to enter a system, the user’s confidential information may also be put at risk. For instance, TROJ_GAMETHI.FMS, one of the malware HTML_SHELLCOD.SM downloads, steals user names and passwords related to popular online games such as Maple Story, Dungeon Fighter, Ragnarok Online, and World of Warcraft.

This can lead to compromised user accounts for the said games.

Another malware, TSPY_ARDAMAX.HR, logs keystrokes and accesses certain sites and chat logs, which further compromises a user’s privacy.

How can users remove this threat from infected systems?

Affected users can remove this threat from their systems by disabling System Restore, closing all open browser windows, and scanning their computers with their registered Trend Micro product.

As soon as the detected files have been deleted, cleaned, or quarantined, users can download the security patch that addresses the critical vulnerability in IE to protect their systems from reinfection.

Are Trend Micro product users protected from this threat?

Yes. Trend Micro™ Smart Protection Network™ protects users from this threat by blocking the URLs that the malware connects to in an attempt to download other malicious files. The payloads themselves are also detected by Trend Micro products, which accordingly get rid of threats with their highly robust malware-cleaning technologies.

What can users do to prevent this threat from affecting their computers?

Users can prevent HTML_SHELLCOD.SM from affecting their computers by making sure that the software concerned (IE) is properly patched and updated. Users can download the patch that addresses the critical issue from this page. Besides this, they may also follow these best practices when surfing the Web:

If you have a fairly good idea what site you want to visit, directly type in its URL into the browser’s address bar to avoid stumbling upon bad links in search engines.

1. Do not click suspicious-looking URLs even if these appear as top search engine results.

2. Consider a link suspicious if any or some of its components (e.g.,:////?) is made up of random characters.

3. Read the overview of the search result (the set of text that appears right after the title page in bold). The search result can also be considered suspicious if the overview does not provide a sensible brief description of the site. A sure sign of blackhat-search-engine-optimization (SEO)-related sites is the presence of randomly stuffed keywords in the overview.

4. Check the page rating of a website listed on a search engine results page before clicking the link.

5. Install a good URL-filtering program such as Web Protection Add-On that can be integrated into browsers.

FROM THE FIELD: EXPERT INSIGHTS

"For the past few years, social engineering proved to be the most effective method of proliferating malware. One effective alternative, however, is by cybercriminals doing it the technical way via zero day exploits. Now that users are becoming more aware with these social engineering attacks, are exploits going to be the next frontier for malware infection?" Roland Dela Paz, Trend Micro Threat Response Engineer