The malicious Web site that generated last week's widespread Internet attack has been shut down. But there's concern in the information security community that while this assault is over, the road may have been cleared for more damaging mischief in the future.
"While the majority of the traffic has died down, we are still receiving reports of administrators finding log files with indicators of msits.exe download," the Internet Storm Center, a service of the SANS Institute of Bethesda, Md., reported Sunday night. "We would like to remind all users that even though the main issue is over, the same exploit is continuing to be used by Web sites out there for malicious purposes. Practically all of the major antivirus services have signatures for this exploit, which is also known as JS.Scob.Trojan, Scob and JS.Toofeer."
The attack targets users of Microsoft Internet Information Services 5.0 (IIS) and Internet Explorer. Experts believe the goal was to deliver malicious code to visitors of a compromised Web site that could be used to steal credit card and other information then marketed to organized identity theft markets.
The U.S. Computer Emergency Readiness Team (US-CERT) said in an
Experts believe the attack was engineered by the HangUP Team out of Russia, the same for-profit malicious code group responsible for the recent rash of Korgo worms that attack the LSASS vulnerability Microsoft outlined in MS04-011. Microsoft said customers who have deployed Windows XP Service Pack 2 RC2 are not at risk.
Microsoft issued a statement over the weekend that said it's "working with law enforcement and industry partners to identify the individuals or entities responsible" for "this criminal act" and to bring them to justice.
"Customers who believe they may have been attacked should contact their local FBI or Secret Service office" or post their complaint with the FBI's Internet Fraud Complaint Center (IFCC), the statement said. "Customers outside of the U.S. should contact the national law enforcement agency in their country."
Microsoft recommended customers take the following steps to protect their machines:
- Use an Internet firewall on all PCs and laptops.
- Update machines with all the latest security patches, which can be downloaded here.
- Use up-to-date antivirus software.