Ibiza Trojan is a trip

• Edward Hurley, News Writer
• Published: 13 Feb 2004

Web surfers need to be cautious of a new Trojan out there that exploits a vulnerability in Microsoft Internet Explorer, for which there is no patch.

The malware is introduced when end users click to what looks like a travel-related page but is, infact, a "hostile" site that allows the Trojan to implant into Internet browsers' machines.

Is there such a thing as safe Web surfing? Trojans such as Ibiza-A prey on people surfing the Web. Do you think there it is possible to surf safely? The editors of SearchSecurity.com would love to hear your thoughts on this topic. Click here.

Even fully updated machines running Internet Explorer 6 will be susceptible to the attack as there is not a patch available for the flaw.

When infecting a system, Ibiza launches a program that downloads and installs code. It may download file mstask.exe, which then installs svchost in the Windows directory. The Trojan also changes the Windows registry so it starts when Windows is booted up:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Online Service=C:WINDOWS DIRECTORYsvchost.exe

Ibiza could cause some systems to crash, according to iDefense. If installed "properly," the Trojan opens TCP port 10002 and listens for commands from its creator. An attacker could potentially steal passwords from compromised machines, modify settings and change files.

An important distinction has to be made. As Ibiza is a Trojan, it cannot spread by itself. The attacker would need to entice victims to a Web site that would infect the code. For example, a message containing the infectious URL can be spammed out with something enticing, such as "Today's your lucky day! You've won the lottery" or "Free porno for the next 24 hours," Dunham said. "It wouldn't be hard to get people to click on the link."

Unfortunately there really isn't much that Internet Explorer users can do to protect themselves from Ibiza. Safe computing practices, such as only visiting major Web sites, would help but it isn't a sure fix since sites can be hijacked or spoofed.

Firewalls can be helpful in determining if a machine is infected since port 10002 would be open. Users can minimize damaging by configuring their firewalls to only allow outbound traffic from specified ports.

The only surefire way to prevent infection is to use a different browser such as Mozilla or Opera, which aren't affected by the flaw, Dunham said.