June 25, 2004 9:03 AM PDT

Researchers warn of infectious Web sites

update Security researchers warned Web surfers on Thursday to be on guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.

The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed. Those flaws allow the Web server to install a program that takes control of the user's computer.

News.context

What's new:
Intruders are using compromised Web sites to infect visitors' PCs though two Internet Explorer flaws.

Bottom line:
This method of attack is increasingly being used by the Internet underground. While it's unknown how many Web sites carry the malicious program, Windows users should turn their IE security to the highest setting or install a third-party browser.

Click here for more stories on this topic

Late Thursday, Microsoft advised customers to increase their browser security to the highest settings, although that could cause some Web site functions to stop working.

The extent of the attacks is unknown, but the security community has seen numerous cases of personal computers infected when the user merely visits a Web site.

"It is not epidemic, but it is being seen," said Alfred Huger, senior director of engineering for security company Symantec. "Do we think it is serious? Yeah. It's a concern and it's insidious."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive advertising program, known as adware, that installed itself onto a victim's computer via the same two flaws in Internet Explorer. A large financial client called in Symantec in late April after an employee's system had been infected when he used Internet Explorer to browse an infected Web site. Last fall, a similar attack may have been facilitated through a mass intrusion at Interland, said sources familiar with that case.

This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."


CNET Reviews
Attack prevention
Malicious code infects PCs
via popular Web site pages.
Here's how it works and how
to guard against it.


The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server (IIS). When a victim browses the site, the code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security to allow the attacker to access the computer.

Currently, researchers have two theories as to who is behind the attacks. The Internet Storm Center pointed to the similarities between these attacks and previous virus epidemics aimed at co-opting computers for use in illegal spam networks.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


"There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing 'spamware,'" the group stated on its site. "We don't see any evidence that this attack is related to the construction of a DDoS (distributed denial of service) network or other type of typical zombie-based attack group."

However, Symantec believes that the attacks last fall and in April, which the current one most resembles, were conducted by online organized crime groups from Russia. The theory is supported not only by the fact that the server storing the malicious code is in Russia, but also by the sophisticated nature of the attacks, Symantec's Huger said.

"It's a group of people that have resources to bring to play," he said, adding that the attack programs were not amateur material. "The code wasn't pulled off a Web site; it was custom."

Meanwhile, the average Internet surfer is left with few options. Besides choosing the highest security settings for Internet Explorer, Windows users could download an alternate browser, such as Mozilla or Opera. Mac users are not in danger.

NetSec's Houlahan advocated drastic action.

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.

20 comments

Join the conversation!
Add your comment
First, baby steps...Mozilla, Netscape or Opera...
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger." Yes, that is a good start. I wonder why the author would only recommend just the multi platform quick fixes (and the FreeBSD core / Unix like Mac) that just side step the real problem of the Operating System itself.
I and Millions of others around the world have been using Linux for many years now. Look to the reason. The functionally almost impervious to attack Linux system now offers, as a real desktop system, real solutions, not band-aids on a wound that will never heal. I have not had to deal with a virus in our company or home for four years. No downtime, No dollars spent fighting a losing battle, Simply change.
Posted by (2 comments )
Reply Link Flag
Little guys are ignored
First: What link do I have to follow to become "known"?

Second...

"The functionally almost impervious to attack Linux system now offers, as a real desktop system, real solutions, not band-aids on a wound that will never heal. I have not had to deal with a virus in our company or home for four years"

I assure you, if Linux were used on as many machines as Windows is - you'd see viruses just as often as Windows users do.

All major programs have vulnerabilities. The most likely reason you haven't seen these problems is because virus writers try to infect as many machines as possible. Since the "target audience" is so small, it's been overlooked.

This is also, IMO, the reason why so few viruses are seen on Macs. Not that they're any less impervious... merely that virus writers are taking a "Why bother, it won't make the news" attitude.

IOW - the most popular OS will also be the one that receives the most attacks. Likewise, the least popular will receive the fewest.

(I never had to deal with viri on my TI-99/4A)
Posted by Jim Harmon (329 comments )
Link Flag
Nothing New
As a Mac User I would visit many websites and every once and a
while I would get a WIN32 error. Obviously the site still loaded
completely fine however I still didn't completely trust the
website's intentions. After checking the website through my
Virtual PC emulator I noticed that a virus was installed and tried
to take over system controls. This was quite funny though since
I just quit and restarted the program and everything was back to
normal. That was a year and a half ago. I thought it was common
knowledge. However, on a Windows computer there is no
warning, message or WIN32 error since it was installed without
any problems. Ironic really. I'm absolutely stunned that nobody
noticed this earlier.
Posted by (4 comments )
Reply Link Flag
Well ...
Well ... What would you expect MS to do? They will patch this
sooner or later most likely later. This is exactly what the
customer wants. An OS so full of holes that a sieve can hold
more water.

The point is that MS is bundling or melding or basically
embedding everything into their OS that you have no choice but
to take your PC off line and never use floppies, CDs, DVDs, or
any other media that can spread a virus or worm.

It is time for people to jump ship and look at the alternatives.
There are other viable options and they initially require
retraining but in the long run you will get peace of mind.

Unless you are one of MS's customers that really did ask for
these headaches. Just remember about the analogy of the
lemmings.
Posted by wrwjpn (113 comments )
Reply Link Flag
Firefox vs. the idiot
If you aren't using firefox I equate that to screwing without a condom wich only an idiot would do. People are so rapped up in "MS is the best way to go" world that they consider everything else inferior. Never mind that that's the attitude only until they get nailed by a bad site.
FireFox is simply a better browser. Period. And for those rare cases where I run across a incompatible site (80% of the time its a MS site like carpoint or is designed with FrontPage go figure.) I can temp load IE.
Get a freaking clue people.
Posted by Jonathan (832 comments )
Reply Link Flag
No mention of Linux??
You mention Mozilla, Firefox and Opera for Windows (I use Opera when in Windows at work) And you mention that Mac users aren't affected (which uses a linux type kernel based on free BSD) But you didn't mention Linux which I use at home and haven't worried about viruses, trojans or worms for years. Not that Linux is immune, Just highly unlikely. It is also a lot more difficult to take control of a Linux machine and do anything important with it since users never have root control.
Posted by (1 comment )
Reply Link Flag
NetSec's Houlahan lacks any credibility ...
if he isn't bright enough to use Mozilla, Firefox or any of the other alternatives to IE. "Stay off the internet"!? How lame!
Posted by (1 comment )
Reply Link Flag
Already dealt with this problem
A couple months ago I discovered my wife's computer had a nasty infestation of some of the worst adware I've ever seen. I myself, on the other hand, had no problem. The difference? She used IE a lot, while I used Mozilla.

I'm really disappointed a so-called expert quoted in the article advocated getting off the Internet altogether over using an alternative browser. As if IE is the only way to access the Internet. I think that's really poor; there are other solution far less drastic. I can say my wife's computer hasn't had another infestation since she started using Mozilla as her default browser.

Oh, and if you do have an adware problem, get Ad-Aware & Spybot Search & Destroy to help clean things up & keep your system clean.
Posted by (2 comments )
Reply Link Flag
I never got infected
I never got infected.
I use xp sp1 rc2 and windows 98se.

I cant say if xp sp1 rc2 is vulnerable or not.
I guess I have not visited an infected site.

Also, I wish a site would tell you how to remove the infection manually. That would be helpful if I do get it with windows 98.
Posted by (1 comment )
Reply Link Flag
Service Pack 2 prevents attack
From Microsoft: "Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."

There's more info about Download.Ject at:

<a class="jive-link-external" href="https://www.microsoft.com/security/incident/download_ject.mspx" target="_newWindow">https://www.microsoft.com/security/incident/download_ject.mspx</a>
Posted by (2 comments )
Reply Link Flag
A question of fact, please.
This article and another I read earlier don't mention if Windows security will stop this kind of attack IF/When it is fully implemented or if the PC is only vulnerable when the user logs in as a Power User or Adminstrator. In otherwords, can the attacks that are being found install a program when the user does not have the rights to install anything?

Thanks.

MK
Posted by MCK68 (7 comments )
Reply Link Flag
Not LIkely
It's unlikely. One of the biggest problems with Windows is that 95% of the people that use it have admin-I-can-do-anything-without-a-password accounts. If MS changed the way they work with that (yes, sacrificing some ease of use for security) you'd find they would get far fewer viruses.
Posted by Stupendoussteve (28 comments )
Link Flag
Follow the path
Ive picked up viruses on Google........
twice now and AV softwear couldnt get rid of them. I had to trace the path and delete.
AVG and McAfee BOTH told me that I had a virus .... AVG told me where...... such as C:/temp internetfiles/etc/etc

McAfee told me to run AVG, lol

it tried to put it into the virus vault but the computer would just lock up when I would try..... and I would have to reboot....... so you just follow the path: go to C and then Temp internet files then to etc. and so on
then delete

whatever path it gives you, you just follow and delete, Sharon
Posted by (1 comment )
Reply Link Flag
Take out that malicious server in Russia
OK, so we know where the malicious code is coming from. How about we do something? Take it off the DNS maps. DDOS attacks. Find the host machines and unplug them (this requires someone on-site in Russia...). That at least will stop the spread.
Posted by magscanner (3 comments )
Reply Link Flag
Take out the servers in Russia???
You're joking, right? Asking someone there who provides DNS and/or server space for these people to kill their accounts? Most of the crime syndicates there, cyber or otherwise, are run by former KGB. You think that anyone who isn't smoking crack is gonna mess with them? Ha! You have a better chance of getting Bill Gates to roll off of his money pile and fix the code himself.
Posted by neptolac (12 comments )
Link Flag
"I told my wife..."
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.

"Honey, we are such ****** idiots, all we know is what Microsoft puts in front of our faces. Like gerbils on a tread mill, we could never think enough for ourselves to actually install a non-virus-laden browser. Oh, our M$ sales rep is here, I'll get the vasoline".
Posted by (60 comments )
Reply Link Flag
Indeed
All you do is change your shortcuts when wifey isn't using the computer. Delete all easy to get to references to IE to something like Mozilla.

Then tell her you changed it, and leave it at that. It's unlikely she'll have *many* issues (if any), and you won't get the stuff IE invites in the door.
Posted by Stupendoussteve (28 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.