Online intruders breached the security of at least one server at advertising host Falk this weekend and used the computer to distribute an attack to the service's clients, including The Register, a technology news and opinion site.
Both Falk and The Register confirmed details of the attack, which infected some users' systems on Saturday morning. The problem was later corrected, Falk said. The attack used a recently discovered flaw in Microsoft's Internet Explorer 6 that has not yet been patched.
The attack used banner ads to infect victims' computers. According to security company Lurhq, the program, when viewed as an advertising banner, executes some fancy Internet footwork to jump to three other Web sites, further infecting the victim's computer at each step. Once compromised by the program, an infected system will allow an attacker to install additional programs.
"The attackers were not targeting...The Register," said Marcus Sachs, director of the Internet Storm Center, a network-monitoring group funded by the SANS Institute. "It just happens. If you did not have updated antivirus, you could have been hit by it."
The attack exposed, for the second time this year, the danger posed by insecure Web services. In June, an attack that similarly used a flaw in Internet Explorer was posted to several Russian sites. By exploiting a centralized advertising hosting service with insecure servers, the latest attack found a way to spread more widely.
Advertising hosts generally serve up banner advertisements to their Web site clients. What may seem like a banner, however, can easily contain malicious code, which is what happened when attackers breached the security of one of the servers at Falk, the company said.
"This attack made use of a weak point on this specific type of load balancer," Falk said in a statement. "The function of a load balancer is to evenly distribute requests to the multiple servers behind it. The system concerned was only used to handle a specific request type to our ad server and has now been investigated."
The attack is not a virus, because once it infects a user's system through Internet Explorer, the program will not spread further. However, many reports confuse the Internet Explorer vulnerability, referred to as the iFrame vulnerability, and the Bofra virus, which has used the flaw to spread. Bofra was originally referred to as a variant of the MyDoom virus. Security company Lurhq referred to the latest attack as Trojan.Agent.EC.
"The (program) was originally introduced to our European network, where it was first detected," Falk said in a statement. "As of 11:30 a.m. GMT (3:30 a.m. PST Saturday), the virus was removed from all Falk European and U.S. networks, and normal ad delivery was restored.
The Register blocked banner advertisements during the incident and said it does not plan to resume the service until Falk can make assurances regarding the security of its ads.
"We have asked Falk for an explanation and for further details of the incident, and pending this we do not intend to restart ad-serving via the company," The Register said in a statement. "Although the matter was beyond our direct control, we do not regard it as acceptable for any Register reader to be exposed in this way."
Microsoft pointed out that the attack will only infect PCs with Internet Explorer 6 installed, and which don't have the Service Pack 2 update.
"Microsoft is working to forensically analyze the malicious code in Bofra and will work with international law enforcement to identify and bring to justice those responsible for this malicious activity," the company said in response to the Falk attack. "Microsoft is taking this vulnerability very seriously; accordingly, an update to correct the vulnerability is currently in development."
A representative of Microsoft, which has offered rewards for leads on virus attacks in the past, would not comment on whether the company plans to offer a reward for the leads to Falk's attacker or those responsible for the Bofra virus.
The problem with SP2 is that it breaks things. Too many things that work on non-SP2 IE stop working on SP2. Then perhaps one can get them to work by turning off some security things, but then you're not protected. As far as I see, SP2 only disabled some features by default and placed some intimidating notices saying you're taking a risk when using them.
Google creates an animated doodle that features a boy, a girl, Google's search engine, and a jump rope. But might there be darker, more analytical, more troubling interpretations to this tale?
The Silicon Valley online payments startup grew by 1,000 percent last year and is hopeful it can repeat that level of growth this year. To do that, it's had to move away from its early friends-and-family roots and embrace small businesses.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
MS's answer? upgrade to Xp. No doubt.
My answer? Exit IE, Firefox here I come.