A widespread Internet attack has hit thousands of Web sites in the past week, planting malware on vulnerable machines that may be designed to steal credit card and other information then marketed to organized identity theft markets, according to government officials and information security experts.
"This is nasty by the look of it," said Scott Blake, vice president of information security at BindView Corp. of Houston. "This appears to be a zero-day exploit, and that's a big concern that's hard to respond to. In this case, we're not sure of a workaround, but we're hoping to come up with one as quickly as possible."
The U.S. Computer Emergency Readiness Team (US-CERT) said in an advisory that it is aware of suspicious activity focused on sites running Microsoft Internet Information Services 5.0 and Internet Explorer, components of Windows.
Microsoft is also investigating the attack, and said customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. The software giant said in a new security bulletin that Web servers running Windows 2000 Server and IIS that have not applied fixes outlined in MS04-011 are possibly being compromised. The bulletin advises systems administrators to apply the patches in MS04-011.
The Internet Storm Center, a service of the SANS Institute of Bethesda, Md., said in its last report that "a large number of Web sites, some of them quite popular, [were] compromised earlier this week to distribute malicious code." It did not elaborate on which ones were impacted.
"Hundreds to thousands of computers could feasibly be infected in just a few hours using compromised IIS servers as the launching pad for this attack," Ken Dunham, director of malicious code for iDEFENSE Inc. of Reston, Va., said in an e-mail. "Everyone needs to audit recent patches and ensure that computers are fully patched. Additionally, IE users should consider modifying the Windows registry to set the 'kill bit' until a patch is available."
Dunham said such Trojans have historically been developed by the HangUP Team out of Russia, a for-profit malicious code group. They are designed to steal credit card and other information that is then marketed to organized identity theft markets. The HangUP Team is the same group responsible for the recent rash of Korgo worms that attack the LSASS vulnerability of MS04-011.
Further details of the attack can be found on the storm center site.