UPDATED: Widespread attack under way

By Bill Brenner, News Writer 25 Jun 2004 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A widespread Internet attack has hit thousands of Web sites in the past week, planting malware on vulnerable machines that may be designed to steal credit card and other information then marketed to organized identity theft markets, according to government officials and information security experts.

"This is nasty by the look of it," said Scott Blake, vice president of information security at BindView Corp. of Houston. "This appears to be a zero-day exploit, and that's a big concern that's hard to respond to. In this case, we're not sure of a workaround, but we're hoping to come up with one as quickly as possible."

The U.S. Computer Emergency Readiness Team (US-CERT) said in an advisory that it is aware of suspicious activity focused on sites running Microsoft Internet Information Services 5.0 and Internet Explorer, components of Windows.

"Compromised sites are appending JavaScript to the bottom of Web pages," the advisory said. "When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end user systems."

The agency recommends IT administrators running IIS 5 verify that there is no unusual JavaScript appended to the bottom of pages delivered by their Web server and that end users disable JavaScript unless it is absolutely necessary.

Microsoft is also investigating the attack, and said customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. The software giant said in a new security bulletin that Web servers running Windows 2000 Server and IIS that have not applied fixes outlined in MS04-011 are possibly being compromised. The bulletin advises systems administrators to apply the patches in MS04-011.

The Internet Storm Center, a service of the SANS Institute of Bethesda, Md., said in its last report that "a large number of Web sites, some of them quite popular, [were] compromised earlier this week to distribute malicious code." It did not elaborate on which ones were impacted.

"Hundreds to thousands of computers could feasibly be infected in just a few hours using compromised IIS servers as the launching pad for this attack," Ken Dunham, director of malicious code for iDEFENSE Inc. of Reston, Va., said in an e-mail. "Everyone needs to audit recent patches and ensure that computers are fully patched. Additionally, IE users should consider modifying the Windows registry to set the 'kill bit' until a patch is available."

Dunham said such Trojans have historically been developed by the HangUP Team out of Russia, a for-profit malicious code group. They are designed to steal credit card and other information that is then marketed to organized identity theft markets. The HangUP Team is the same group responsible for the recent rash of Korgo worms that attack the LSASS vulnerability of MS04-011.

The Internet Storm Center said, "If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian Web site and install it. Different executables were observed. These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system."

The report added, "We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your Web site back into business by changing the footer setting and removing the javascript file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors."

Further details of the attack can be found on the storm center site.

Tags: Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Server Threats and Countermeasures VeriSign extends DDoS attack protection service Microsoft issues IIS FTP advisory, exploit code circulates Panda reports fast-spreading rogueware antivirus fraud rakes in millions Oracle issues quarterly patches, fixes database flaws Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security Web Application and Web 2.0 Threats Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Kaspersky system analyzes malicious URLs on Twitter for malware Pushdo botnet uses Facebook to spread malicious email attachment Do Facebook URL security concerns justify blocking social networks? Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Massive phishing scheme affects Microsoft Hotmail accounts Phishing websites, rogue antivirus skyrocket in 2009 An enterprise strategy for Web application security threats

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary