Skip to content

2012 Press Releases

Trend Micro Warning: Hacker Launched Two "Zero Day" Attack through IE's Vulnerability

Used Trojan and Backdoor to Attempt to Steal User Information.
Users and Enterprises Should be Cautious.

【Taipei, Sep 21, 2012】Trend Micro (TYO: 4704;TSE: 4704), leading provider of cloud security software, detected a hacker’s attacks through exploiting a software vulnerability. Hackers attacked through the vulnerability found in IE, using HTML_EXPDROP.II trojan to drop backdoors BKDR_POISON.BMN and BKDR_PLUGX.BNM. The two attacks may have compromised the user’s information on the computer or device. The backdoors’ server was also previously used for zero day attacks through Java related vulnerabilities. Other than the identified two backdoors, it isn’t confirmed yet whether the user’s device is infected with other viruses, trojans or backdoors.

Trend Micro has once again detected two attacks through IE’s vulnerability, following the identification of the zero day attack on Java’s vulnerability not long ago. The first attack used Trojan HTML_EXPDROP.II, and if successful, the Trojan would drop a malicious .SWF file (SWF_DROPPR.II). The .SWF file then drops a backdoor detected as BKDR_POISON.BMN. The backdoor will connect back to the server, allowing the hacker to control and steal information from the computer. The second attack uses backdoor BKDR_PLUGX.BNM — a variant of the recently discovered PlugX remote access tool (RAT), the payload of this other attack. It has been demonstrated to have significant information theft and backdoor capabilities, and is used as a component of sophisticated information theft campaigns.

Richard Sheng, senior director of Trend Micro states, “Attacking through software vulnerabilities is already a common method for hackers, as seen by the previous attacks through Adobe and Java’s vulnerabilities. It is not the first time we have seen this type of attack, using a trojan to drop a backdoor. Different than regular updates, it is recommended that users edit IE’s Security Settings and install appropriate information security software in order to effectively block trojans and backdoors.”

Trend Micro recommends the following IE Security Settings:
Tools → Internet Options → “Security” Tab → Select “Internet” → Click “Custom level…” → For setting “Active scripting” under “Scripting”, select “Prompt”. Click “OK”

Ie Security Settings Image 1
Ie Security Settings Image 2
Ie Security Settings Image 3

Trend Micro has already provided security protection for all clients of Deep Security and IDF. Trend Micro recommends users to use programs that can proactively detect and block malicious programs and websites to be protected from similar attacks. More information please access: http://apac.trendmicro.com/apac/solutions/enterprise/security-solutions/virtualization/deep-security/

About the trojan and other details, please see the following links:
http://about-threats.trendmicro.com/us/malware/html_expdrop.ii
http://about-threats.trendmicro.com/us/malware/swf_droppr.ii

About Trend Micro
Trend Micro Incorporated (TYO: 4704;TSE: 4704), a global cloud security leader, creates a world safe for exchanging digital information with its Internet content security and threat management solutions for businesses and consumers.  A pioneer in server security with over 20 years’ experience, we deliver top-ranked client, server and cloud-based security that fits our customers’ and partners’ needs, stops new threats faster, and protects data in physical, virtualized and cloud environments. Powered by the industry-leading Trend Micro™ Smart Protection Network™ cloud security infrastructure, our products and services stop threats where they emerge – from the Internet. They are supported by 1,000+ threat intelligence experts around the globe. 
Additional information about Trend Micro Incorporated and the products and services are available at Trend Micro.com This Trend Micro news release and other announcements are available at http://trendmicro.mediaroom.com/  and as part of an RSS feed at www.trendmicro.com/rss   Or follow our news on Twitter at @TrendMicro.


Connect with us on