June 25, 2004 12:58 PM PDT

Web site virus attack blunted

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

The attack, which had turned some Web sites into points of digital infection, was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should take precautions, as the Internet underground is increasingly using this type of attack as a way to get by network defenses and infect officer workers' and home users' computers.

"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution.

"It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, sources familiar with that case said.

The Internet Explorer flaws that enabled the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon.

"We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS.

After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.

It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected sites is relatively small, given the total number of sites that exist.

Still, the network of compromised sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a Net threat-monitoring site.

"This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well, because the exploit wasn't as effective."

Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.

8 comments

Join the conversation!
Add your comment
Wow.
The way things are working now, before too long someone will have a virus/hack that will effectively infect all of the US..and possibly the world.

This may not sound very possible right now..but technology is constantly growing..and before long it will easily be with reach
Posted by (9 comments )
Reply Link Flag
Wow.
The way things are working now, before too long someone will have a virus/hack that will effectively infect all of the US..and possibly the world.

This may not sound very possible right now..but technology is constantly growing..and before long it will easily be with reach
Posted by (9 comments )
Reply Link Flag
Where is the attack on the Surfer?
I would like to know where is the attack point to the avarage web surfer?
Does it come in from the IE browser?
You se i use OPERA and woul;d like to know if Simply using a different Browser will help to eliminate alot of these web attacks.
It seems to me that almost every Microsoft patch ive seen in the past year has had something to do with a buffer overflow, and the text to the patch's always reffers to "if a Malichiious web site, were to install a code to...etc...etc.."
So my main question here is Where is the Flaw for these things lying, if its simply in the browser, should not a different browser solve the problem...assuming the source code of the browser is not identical to Microsoft?
Posted by (2 comments )
Reply Link Flag
Browser security -- latest threat
Yes, as you've stated, this is yet another exploit originating with an unpatched Microsoft IIS web server -- one that you've visited. On the client side, the exploit uses a so far unpatched vulnerability in Microsoft Internet Explorer configured at a security setting of *less than* "high."

If you're using an alternative browser (e.g. Opera, Mozilla, Netscape, etc.) you should not be affected, provided that you're OS patches are up-to-date.

This is yet another example of an exploit rendered harmless simply by avoiding the installation or use of Internet Explorer, Outlook, and a host of other integrated Microsoft operating system 'add-ons'.

Lose 'em -- *don't use 'em*!
Posted by djugan (40 comments )
Link Flag
Where is the attack on the Surfer?
I would like to know where is the attack point to the avarage web surfer?
Does it come in from the IE browser?
You se i use OPERA and woul;d like to know if Simply using a different Browser will help to eliminate alot of these web attacks.
It seems to me that almost every Microsoft patch ive seen in the past year has had something to do with a buffer overflow, and the text to the patch's always reffers to "if a Malichiious web site, were to install a code to...etc...etc.."
So my main question here is Where is the Flaw for these things lying, if its simply in the browser, should not a different browser solve the problem...assuming the source code of the browser is not identical to Microsoft?
Posted by (2 comments )
Reply Link Flag
Browser security -- latest threat
Yes, as you've stated, this is yet another exploit originating with an unpatched Microsoft IIS web server -- one that you've visited. On the client side, the exploit uses a so far unpatched vulnerability in Microsoft Internet Explorer configured at a security setting of *less than* "high."

If you're using an alternative browser (e.g. Opera, Mozilla, Netscape, etc.) you should not be affected, provided that you're OS patches are up-to-date.

This is yet another example of an exploit rendered harmless simply by avoiding the installation or use of Internet Explorer, Outlook, and a host of other integrated Microsoft operating system 'add-ons'.

Lose 'em -- *don't use 'em*!
Posted by djugan (40 comments )
Link Flag
help, I have contacted many viruses and need my computor for work tommorrow
Posted by gardens12 (1 comment )
Reply Link Flag
My website was recently attacked by a Russian site. They encrypted their script, so if you search by "http://", you won't find any suspicious website. Try to look for javascript code that is not formatted, and once found it, try to see if you can find the same scripts in all files on your site. For details, check my blog <a href="http://geekatwork.wordpress.com/2010/03/26/website-virus-detection/">http://geekatwork.wordpress.com/2010/03/26/website-virus-detection/</a>
Posted by xiannong (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.