[ISN] DoS Attack May Tap Web Graphics Flaw

From: InfoSec News (isn@private)
Date: Mon Jun 28 2004 - 02:45:58 PDT

  • Next message: InfoSec News: "[ISN] Wi-Fi hopper guilty of cyber-extortion"

    By Dennis Fisher 
    June 24, 2004    
    Security experts are tracking a new piece of malware that appears to
    be compromising large numbers of Windows PCs and may be laying the
    groundwork for the creation of a large spamming network or a major
    attack in the future.
    Analysts at NetSec Inc., a managed security services provider, began
    seeing indications of the compromises early Thursday morning and have
    since seen a large number of identical attacks on their customers'
    networks. The attack uses a novel vector: embedded code hidden in
    graphics on Web pages.
    When visitors to a few particular Web sites—including popular auction,
    shopping and price-comparison sites—request pages that include the
    malicious graphics, the code automatically downloads itself onto their
    machines. Once installed, the code unpacks itself and loads a
    keystroke logger on the PC.
    NetSec officials said the attack seems to exploit a vulnerability in
    Internet Explorer.
    The code then forces the machine to contact two IP addresses—one in
    Russia and one in the United States. The Russian site is hosted on a
    broadband connection and is part of a network known for spamming and
    other transgressions.
    After contacting these sites, the tool then downloads some other files
    to the compromised machine. NetSec officials said they are still
    analyzing the code and are unsure what the exact purpose of the new
    attack is.
    "We think it's probably a staging activity for further attacks," said
    Brent Houlahan, chief technology officer at NetSec, based in Herndon,
    Va. "It may be setting up for a large DDoS [distributed denial of
    service] attack or setting these machines up as spam relays."
    Compromised PCs often are used by attackers to launch large-scale DDoS
    attacks against one or more targets. And they also are valued by
    spammers who like to install software that enables them to send large
    volumes of spam messages from the machines. Using dozens or hundreds
    of compromised PCs makes it virtually impossible for investigators to
    track attacks or spam back to the original source.
    Houlahan said he was unsure how many machines had been compromised at
    this point.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Mon Jun 28 2004 - 04:35:54 PDT