Article

Ibiza Trojan is a trip

Edward Hurley, News Writer

Web surfers need to be cautious of a new Trojan out there that exploits a vulnerability in Microsoft Internet Explorer, for which there is no patch.

The malware is introduced when end users click to what looks like a travel-related page but is, infact, a "hostile" site that allows the Trojan to implant into Internet browsers' machines.

    Requires Free Membership to View

Is there such a thing as safe Web surfing?
Trojans such as Ibiza-A prey on people surfing the Web. Do you think there it is possible to surf safely? The editors of SearchSecurity.com would love to hear your thoughts on this topic. Click here.
According to Ken Dunham, director of malicious code at iDefense, there were at least 5,000 machines infected with Ibiza-A as of today. The company came to that estimate by looking at a Web site that the Trojan creator set up to ascertain which machines are infected.

Even fully updated machines running Internet Explorer 6 will be susceptible to the attack as there is not a patch available for the flaw.

When infecting a system, Ibiza launches a program that downloads and installs code. It may download file mstask.exe, which then installs svchost in the Windows directory. The Trojan also changes the Windows registry so it starts when Windows is booted up:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Online Service=C:WINDOWS DIRECTORYsvchost.exe

Ibiza could cause some systems to crash, according to iDefense. If installed "properly," the Trojan opens TCP port 10002 and listens for commands from its creator. An attacker could potentially steal passwords from compromised machines, modify settings and change files.

An important distinction has to be made. As Ibiza is a Trojan, it cannot spread by itself. The attacker would need to entice victims to a Web site that would infect the code. For example, a message containing the infectious URL can be spammed out with something enticing, such as "Today's your lucky day! You've won the lottery" or "Free porno for the next 24 hours," Dunham said. "It wouldn't be hard to get people to click on the link."

Unfortunately there really isn't much that Internet Explorer users can do to protect themselves from Ibiza. Safe computing practices, such as only visiting major Web sites, would help but it isn't a sure fix since sites can be hijacked or spoofed.

Firewalls can be helpful in determining if a machine is infected since port 10002 would be open. Users can minimize damaging by configuring their firewalls to only allow outbound traffic from specified ports.

The only surefire way to prevent infection is to use a different browser such as Mozilla or Opera, which aren't affected by the flaw, Dunham said.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: