Topic: Virus-like infection hits Web sites

[Clive]

Electric News.net
Friday, June 25 2004
by Matthew Clark
 
Security experts have expressed serious concern about recently discovered flaws in Internet Explorer that seem to be the focus of an insidious attack.  
The exact nature of the problem remains somewhat unclear, although experts within many of the world's top e-security firms, as well as the SANS Institute and the US Department of Homeland Security, have acknowledged that something is amiss.

It seems that many popular Web sites, including search engines and shopping sites, have been secretly hacked and have had mysterious code placed on their Web servers, unbeknownst to IT managers. When a user running Internet Explorer logs on to a contaminated site, the user's PC is infected with malicious code, which has the potential to cause further problems.

Backdoors are opened on infected PCs and some experts have said that key logging software is also installed, allowing the creators of the code to steal passwords, PIN numbers and credit card details. Other experts suggest that the hackers behind the malware are actually loading computers with so-called "adware" or "spamware," software that can push unwanted ads to users or steal personal data for the purpose of spam e-mailing.

A few experts have pointed to the possibility of an enormous Distributed Denial of Service (DDoS) attack once enough computers are converted into zombies, but most have dismissed this possibility.

"This is what everyone has been really frightened about for a while now," said Conor Flynn, technical director with Rits Information Security in Dublin. The fear is rooted in the fact that there is no patch from Microsoft for the flaws, nor is there any indication that a patch is on the verge of being released. Though the virus-like infection rate remains low, experts like Flynn say the matter could become a more serious problem unless a fix is released soon. "There is no question that this one could be devastating," he said.

While some exerts are looking to develop fixes, others are busy tracking down the perpetrators, who could be spammers, one of the few groups to have made money from hacking. Others say the engineers could include Eastern European or Russian-organised crime gangs, noting that the "high quality" code that infects Web sites redirects browsers to Russian-based Web servers.

For Web site proprietors, the best defence is to ensure that Web servers are fully patched and guarded against all attacks -- particularly those running Internet Information Server (IIS), which seems to be a favourite of attackers due to previously revealed vulnerabilities.

Home users, meanwhile, should shut down options like ActiveX on Internet Explorer, which is a mechanism used by malicious code to upload onto PCs. Some experts have gone as far as to recommend that users switch to Opera, Safari, Netscape or Mozilla, Internet Explorer's rival browsers.

 
http://www.electricnews.net/frontpage/news-9540865.html

[Simon]

Some experts have gone as far as to recommend that users switch to Opera, Safari, Netscape or Mozilla, Internet Explorer's rival browsers.

**Cough!**  :whistle:

[Clive]

Nasty cough you have there Simon.    But you can't come between me and my new-found friend now.  We are as one.   8)  8)  8)

[Simon]

We are as one.   8)  8)  8)

Yes, and so is Avant and Internet Explorer!    

[Clive]

Oh bugger!  Further update from BBC:

Web browser flaw prompts warning
 
 
Microsoft has issued advice about the loophole
Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole in it.  

The loophole is being exploited to open a backdoor on a PC that could let criminals take control of a machine.

The threat of infection is so high because the code created to exploit the loophole has somehow been placed on many popular websites.

Experts say the list of compromised sites involves banks, auction and price comparison firms and is growing fast.

Serious problem

The net watchdog, the US Computer Emergency Reponse Center, and the net security monitor, the Internet Storm Center, have both issued warnings about the combined threat of compromised websites and browser loophole.

Cert said: "Users should be aware that any website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."

In its round-up of the threat the Internet Storm Center bluntly stated that users should if possible "use a browser other then MS Internet Explorer until the current vulnerabilities in MSIE are patched."

 CHECKING FOR INFECTION
Click the Start button and then click on Search
Make sure you choose the option to look through all files and folders
Search for files called Kk32.dll and Surf.dat
If infected use up to date anti-virus software to remove the malicious code.
 
So far it is unclear how the malicious code that exploits the weakness in Microsoft's Internet Explorer has been inserted on popular websites.

What is known that any Windows 2000 Server that does not have the MS04-011 security update installed and is running Internet Information Server could be at risk.

The virulent Sasser worm exploited loopholes closed by this update so many servers are likely to be patched against the problem.

Infected servers are adding a malicious chunk of Javascript to all the web, gif and jpg files served up to anyone browsing the sites they host.

When loading on a browsing PC, this chunk of code might trigger a Windows error message.

Once downloaded the code redirects a browser to a Russian website which tries to install a program that opens a backdoor into the PC.

Some net service firms have started blocking access to this Russian site.

Check for infection

Anti-virus firms are now working on putting detectors for the chunk of code in to their scanning software.

Security firm Symantec said the malicious code was not widespread and did little damage.

The reason that the server/browser combination has been created remains a mystery.

Some speculate that it is the work of spammers looking to create yet another network of compliant PCs that can be used as proxies to spread junk mail.

Microsoft has issued advice to consumers and web administrators about dealing with the problem.

Administrators are urged to apply the update that will make them immune to infection.

Home users are being told to update their browser and avoid the threat by turning off Javascript. However, this could mean that some webpages do not display as expected.

Microsoft has also given advice about how people can check if they are infected.

So far the server/browser combination has not been given a single name. In its warning about the problem Microsoft calls it download.ject but others, such as F-Secure, are calling it Scob.

 http://news.bbc.co.uk/1/hi/technology/3840101.stm

[Clive]

Further reading for the dedicated at this CNET website:

http://tinyurl.com/2v6rl

[Simon]

 

[Clive]

:bart: :curse: :boobs: :bitch:

[Clive]

Internet browser breach defused
 
The Russian web server at the centre of a serious net security problem has been shut down.
When visited by unwitting web users the server exploited loopholes in Microsoft's Internet Explorer and opened a backdoor into compromised PCs.

When first discovered, the security problem prompted experts to tell people to avoid using Internet Explorer.

The problem was judged serious because many trusted websites were innocently sending people to the suspect server.

Security scare

When visited, the Russian computer was downloading computer code that could give malicious attackers complete control over a compromised machine.

So far Microsoft has not produced a patch for the loophole that this code sneaks through.

The loophole being exploited was first found two weeks ago.

Microsoft has urged users to update their browsers, raise security settings to high and disable Javascript. It adds that making these changes could mean some websites do not display as expected.

The software giant has also posted advice to help people find out if they have fallen victim to the bug which Microsoft has dubbed download.ject. Others are calling it the scob trojan.

Analysis by security firm Lurhq reports that the downloading code is a variant of the Berbew/Webber/Padodor trojan.

Speaking during a trip to Australia Microsoft Chairman Bill Gates said: "The thing we have to do is not only get these patches done very quickly..., we also have to convince people to turn on auto-update."

He added: "We will guarantee that the average time to fix will continue to come down."

Warnings about the problems caused by the Internet Explorer and server combination were first released by the US Computer Emergency Response Team and the Internet Storm Center.

It is not yet known how many websites and PCs have fallen victim to the combined attack.

However, the sting in the tail of this security problem now seems to have been removed as the server at the centre of it is shut off.

Soon after the problem became known late last week, many net service firms started blocking the web address of the Russian server.

The popular websites that were unwittingly contributing to the problem by directing people to this Russian server appear to some of the few that have not closed vulnerabilities exploited by the Sasser worm.

According to Lurhq the code that Internet Explorer downloads is designed to steal login information for Ebay, Paypal, Earthlink, Juno and Yahoo accounts.

 http://news.bbc.co.uk/1/hi/technology/3847277.stm