Rich Kavanagh
Web site virus attack, full information
Fri Jun 25, 2004 17:31
64.140.158.4

Web site virus attack, full information ...Virus
Posted on Friday, June 25, 2004 at 17:59 by Rich Kavanagh
http://itvibe.com/default.aspx?NewsID=2675

We reported earlier today on the possible wide-spread threat to web sites that computer industry experts were warning of.

A mysterious, large-scale, Internet attack against thousands of popular websites appears to be taking place at this very moment. The virus-like infection tries to implant hacker type software on to the computers of all web site visitors who go to infected or malicious web sites.

We spoke to Graham.Cluley at Sophos this morning who told us,

"Yes, we're investigating this attack. We're calling the malware Scob.

We are likely to publish more information later today, but right now it appears this only affects web servers running Microsoft IIS 5 (so users of Microsoft IIS 6 - which comes with Windows 2003 Server - or web server software from other vendors are not affected). The javascript on infected web pages seems to try to download a trojan from a website, however in our tests so far it appears the trojan file is unavailable which would also stop this presenting a problem. Of course, it's possible a file could be made available later.

We'll let you know as we get more information. In the meantime it would be sensible for everybody to ensure their anti-virus, firewalls and Microsoft security patches are up-to-date. People who own websites running Microsoft IIS 5 may wish to check that their webpages do not contain any unexpected javascript code."

Since we spoke to Graham Cluley this morning, Sophos have released further details of the vulnerability. A full analysis of JS/Scob-A is available, along with some informational notes.

The SANS Internet Storm Center have also published an article on the threat.

Microsoft were equally quick to release information. An article on their website states that customers who have deployed Windows XP Service Pack 2 RC2 are not at risk, nor are those who have applied Microsoft Security Bulletin MS04-011.

Microsoft also recommend that home users send their computer to http://windowsupdate.microsoft.com and download all the "critical" updates and that system administrators ensure their servers have Security Bulletin MS04-011 applied.

The Internet Threat Level has been increased to AlertCon 2.
======================

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

The attack, which had turned some Web sites into points of digital infection was nipped in the bud on Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code for the attack. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should still take care, as this type of attack is increasingly being used by the Internet underground as a way to get by network defenses and infect officer workers' and home users' computers.

"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."

The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution.

"It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, said sources familiar with that case.

The Internet Explorer flaws that allowed the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon.

"We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS. After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.

It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected Web sites is relatively small given the total number of site on the Web.

Still, the network of compromised Web sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, an Net threat monitoring site.

"This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well because the exploit wasn't as effective."

Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.
http://news.com.com/Web+site+virus+attack+blunted--for+now/2100-7349_3-5248279.html