[ISN] Hackers Attack Through Popular Web Sites

From: InfoSec News (isn@private)
Date: Fri Jun 25 2004 - 06:06:00 PDT

  • Next message: InfoSec News: "[ISN] Stephen Northcutt needs your help"

    By James Niccola
    Paul Roberts 
    Martyn Williams
    IDG News Service
    June 25, 2004
    Internet users visiting some of the most popular sites on the Web may
    unwittingly be downloading malicious code that compromises their
    computers and sets up a relay network for a future onslaught of spam,
    a security services company warns.
    NetSec, which provides managed security services for large businesses
    and government agencies, began detecting suspicious traffic on several
    of its customers' networks on Thursday morning, says Chief Technology
    Officer Brent Houlahan.
    Examining firewall logs and other data points on those networks,
    NetSec found that when users visit certain popular Web
    sites--including an online auction, a search engine, and a comparison
    shopping site--they unwittingly download a piece of malicious
    JavaScript code attached to an image or graphics file on the site.
    Without the user's knowledge, the code connects their PC to one of two
    IP addresses in North America and Russia. From those systems they
    unknowingly download a piece of malicious code that appears to install
    a keystroke reader and probably some other malicious code on the
    computer, Houlahan says.
    The code may be gathering the addresses of Web sites visited by
    affected users and the passwords used to access them. In addition, the
    IP address in Russia is a known source of spam, and the code may be
    creating a network of infected machines that could be used to relay
    spam across the Internet at some later date, he says.
    Under Investigation
    He stressed that NetSec is still examining the code and has yet to
    determine the exact payload or the intent of the attack. The SANS
    Institute's Storm Center is also studying the outbreak and has found
    that the code surreptitiously downloads and installs a Trojan horse
    program named msits.exe, according to Johannes Ullrich, chief
    technology officer at The SANS Institute's Internet Storm Center.
    Ullrich did not specify what functions are performed by the msits.exe
    NetSec declines to name the affected Web sites for liability reasons
    but says they are "big, big sites." It is probably the Web hosting
    facilities that cache content for those sites that are infected,
    rather than the "origin servers" at the Internet service providers
    themselves, Houlahan says.
    "The tricks used in this particular attack method are nothing new.  
    What's significant about this is the fact that it impacts major Web
    hosting facilities," says Dan Frasnelli, who manages NetSec's
    technical assistance center.
    The attack affects only users running Microsoft's Windows operating
    system and Internet Explorer browser, he says. It was unclear Thursday
    how the attack originated, but it may exploit a known vulnerability in
    Microsoft's IIS (Internet Information Services) Web Server software at
    the Web hosting facilities, Frasnelli says.
    The U.S. Computer Emergency Response Team (CERT) called on system
    administrators running IIS version 5 to verify to ensure there is no
    unusual JavaScript appended to the bottom of pages served by their
    Widespread Problem?
    It was also unclear Thursday afternoon how many systems had been
    compromised and how widespread the problem was. NetSec says it had
    protected its own customers by writing custom intrusion detection
    signatures and blocking its customers' PCs from visiting the IP
    addresses involved in the attack.
    "There's a potential for widespread impact because currently the
    [antivirus] vendors don't have a signature for it," Frasnelli says.
    CERT says the attack is another example of why users must exercise
    caution when JavaScript is enabled on their systems and recommended it
    be disabled unless it is absolutely necessary. The group warned even
    Web servers trusted by the user may be affected by this attack and
    contain malicious code.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Fri Jun 25 2004 - 07:10:25 PDT