In the last two weeks, hackers have exploited an 18-month-old vulnerability in Microsoft Windows in three high-profile attack campaigns to infect PCs with advanced rootkits and launch infections from thousands of compromised Web sites.
Since Dec. 28, the same exploit has been used by attackers who jumped on the news of former Pakistani Prime Minister Benazir Bhutto's assassination, by attackers who earlier had hacked thousands of sites using a robotic SQL injection attack, and by the creators of a sophisticated master boot record rootkit invisible to Windows.
The exploit is for a bug within an MDAC (Microsoft Data Access Components) bug patched in April 2006 by Microsoft's MS06-014 security update. When Microsoft fixed the flaw, it issued updates for every version of Windows then supported, from Windows 2000 through Windows XP to Windows Server 2003.
Within days of the April 2006 release of a fix, hackers had come up with a working exploit. And it's been in continual use since then, said Roger Thompson, chief research officer of Grisoft SRO. "It's popular because it really works," Thompson said as he explained why he thought the exploit remained popular. "It doesn't require a special version of Windows, it works with them all except Vista, and it doesn't require anything else, like a specific version of Internet Explorer.
"And it's also easy to tweak," he said.
The combination has proven irresistible. "It's a 'good' exploit," Thompson said, meaning 'bad' for users. "It's in all the exploit packages for one thing."
Attack kits like Mpack, Icepack and Neosploit have become popular with cyber criminals, especially technically-challenged crooks, because they can simply point-and-shoot one or more exploits at victims from malware hosts or compromised Web sites.
"[MS06-014] is as common as can be," said Thompson, so it's no surprise that the exploit has shown up in several recent attacks. "The reality of it is that if you're not patched, it works like a charm. And a lot of people aren't patched, or [the attackers] wouldn't be using this."
Other notable attacks that have relied on the MDAC exploit include the hijacked Bank of India site in August 2007, and the one launched from the hacked Web site belonging to the Miami Dolphins NFL team last February, just days before the Dolphin's stadium hosted Super Bowl XLI.