News

Ibiza Trojan is a trip

Beware of a Trojan masked as a travel Web site. It takes you to places you'd rather not see.

Edward Hurley, News Writer

Web surfers need to be cautious of a new Trojan out there that exploits a vulnerability in Microsoft Internet Explorer,...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

for which there is no patch.

The malware is introduced when end users click to what looks like a travel-related page but is, infact, a "hostile" site that allows the Trojan to implant into Internet browsers' machines.

Is there such a thing as safe Web surfing?

Trojans such as Ibiza-A prey on people surfing the Web. Do you think there it is possible to surf safely? The editors of SearchSecurity.com would love to hear your thoughts on this topic. Click here.

According to Ken Dunham, director of malicious code at iDefense, there were at least 5,000 machines infected with Ibiza-A as of today. The company came to that estimate by looking at a Web site that the Trojan creator set up to ascertain which machines are infected.

Even fully updated machines running Internet Explorer 6 will be susceptible to the attack as there is not a patch available for the flaw.

When infecting a system, Ibiza launches a program that downloads and installs code. It may download file mstask.exe, which then installs svchost in the Windows directory. The Trojan also changes the Windows registry so it starts when Windows is booted up:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun Online Service=C:WINDOWS DIRECTORYsvchost.exe

Ibiza could cause some systems to crash, according to iDefense. If installed "properly," the Trojan opens TCP port 10002 and listens for commands from its creator. An attacker could potentially steal passwords from compromised machines, modify settings and change files.

An important distinction has to be made. As Ibiza is a Trojan, it cannot spread by itself. The attacker would need to entice victims to a Web site that would infect the code. For example, a message containing the infectious URL can be spammed out with something enticing, such as "Today's your lucky day! You've won the lottery" or "Free porno for the next 24 hours," Dunham said. "It wouldn't be hard to get people to click on the link."

Unfortunately there really isn't much that Internet Explorer users can do to protect themselves from Ibiza. Safe computing practices, such as only visiting major Web sites, would help but it isn't a sure fix since sites can be hijacked or spoofed.

Firewalls can be helpful in determining if a machine is infected since port 10002 would be open. Users can minimize damaging by configuring their firewalls to only allow outbound traffic from specified ports.

The only surefire way to prevent infection is to use a different browser such as Mozilla or Opera, which aren't affected by the flaw, Dunham said.

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

All
News
Get Started
Evaluate
Manage
Problem Solve

Related Resources

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.