Ibiza Trojan is a trip

Article

Ibiza Trojan is a trip

Web surfers need to be cautious of a new Trojan out there that exploits a vulnerability in Microsoft Internet Explorer, for which there is no patch.

The malware is introduced when end users click to what looks like a travel-related page but is, infact, a "hostile" site that allows the Trojan to implant into Internet browsers' machines.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Is there such a thing as safe Web surfing?
Trojans such as Ibiza-A prey on people surfing the Web. Do you think there it is possible to surf safely? The editors of SearchSecurity.com would love to hear your thoughts on this topic. Click here.
According to Ken Dunham, director of malicious code at iDefense, there were at least 5,000 machines infected with Ibiza-A as of today. The company came to that estimate by looking at a Web site that the Trojan creator set up to ascertain which machines are infected.

Even fully updated machines running Internet Explorer 6 will be susceptible to the attack as there is not a patch available for the flaw.

When infecting a system, Ibiza launches a program that downloads and installs code. It may download file mstask.exe, which then installs svchost in the Windows directory. The Trojan also changes the Windows registry so it starts when Windows is booted up:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Online Service=C:WINDOWS DIRECTORYsvchost.exe

Ibiza could cause some systems to crash, according to iDefense. If installed "properly," the Trojan opens TCP port 10002 and listens for commands from its creator. An attacker could potentially steal passwords from compromised machines, modify settings and change files.

An important distinction has to be made. As Ibiza is a Trojan, it cannot spread by itself. The attacker would need to entice victims to a Web site that would infect the code. For example, a message containing the infectious URL can be spammed out with something enticing, such as "Today's your lucky day! You've won the lottery" or "Free porno for the next 24 hours," Dunham said. "It wouldn't be hard to get people to click on the link."

Unfortunately there really isn't much that Internet Explorer users can do to protect themselves from Ibiza. Safe computing practices, such as only visiting major Web sites, would help but it isn't a sure fix since sites can be hijacked or spoofed.

Firewalls can be helpful in determining if a machine is infected since port 10002 would be open. Users can minimize damaging by configuring their firewalls to only allow outbound traffic from specified ports.

The only surefire way to prevent infection is to use a different browser such as Mozilla or Opera, which aren't affected by the flaw, Dunham said.