Web site virus attack blunted

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been disarmed.

The attack, which had turned some Web sites into points of digital infection, was nipped in the bud Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.

Still, Web surfers should take precautions, as the Internet underground is increasingly using this type of attack as a way to get by network defenses and infect officer workers' and home users' computers.

"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution.

"It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, sources familiar with that case said.

The Internet Explorer flaws that enabled the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon.

"We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS.

After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.

It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected sites is relatively small, given the total number of sites that exist.

Still, the network of compromised sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a Net threat-monitoring site.

"This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well, because the exploit wasn't as effective."

Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.

Wow.

The way things are working now, before too long someone will have a virus/hack that will effectively infect all of the US..and possibly the world.

This may not sound very possible right now..but technology is constantly growing..and before long it will easily be with reach

Wow.

The way things are working now, before too long someone will have a virus/hack that will effectively infect all of the US..and possibly the world.

This may not sound very possible right now..but technology is constantly growing..and before long it will easily be with reach

Where is the attack on the Surfer?

I would like to know where is the attack point to the avarage web surfer?
Does it come in from the IE browser?
You se i use OPERA and woul;d like to know if Simply using a different Browser will help to eliminate alot of these web attacks.
It seems to me that almost every Microsoft patch ive seen in the past year has had something to do with a buffer overflow, and the text to the patch's always reffers to "if a Malichiious web site, were to install a code to...etc...etc.."
So my main question here is Where is the Flaw for these things lying, if its simply in the browser, should not a different browser solve the problem...assuming the source code of the browser is not identical to Microsoft?

[djugan]

Browser security -- latest threat

Yes, as you've stated, this is yet another exploit originating with an unpatched Microsoft IIS web server -- one that you've visited. On the client side, the exploit uses a so far unpatched vulnerability in Microsoft Internet Explorer configured at a security setting of *less than* "high."

If you're using an alternative browser (e.g. Opera, Mozilla, Netscape, etc.) you should not be affected, provided that you're OS patches are up-to-date.

This is yet another example of an exploit rendered harmless simply by avoiding the installation or use of Internet Explorer, Outlook, and a host of other integrated Microsoft operating system 'add-ons'.

Lose 'em -- *don't use 'em*!

Where is the attack on the Surfer?

I would like to know where is the attack point to the avarage web surfer?
Does it come in from the IE browser?
You se i use OPERA and woul;d like to know if Simply using a different Browser will help to eliminate alot of these web attacks.
It seems to me that almost every Microsoft patch ive seen in the past year has had something to do with a buffer overflow, and the text to the patch's always reffers to "if a Malichiious web site, were to install a code to...etc...etc.."
So my main question here is Where is the Flaw for these things lying, if its simply in the browser, should not a different browser solve the problem...assuming the source code of the browser is not identical to Microsoft?

[djugan]

Browser security -- latest threat

Yes, as you've stated, this is yet another exploit originating with an unpatched Microsoft IIS web server -- one that you've visited. On the client side, the exploit uses a so far unpatched vulnerability in Microsoft Internet Explorer configured at a security setting of *less than* "high."

If you're using an alternative browser (e.g. Opera, Mozilla, Netscape, etc.) you should not be affected, provided that you're OS patches are up-to-date.

This is yet another example of an exploit rendered harmless simply by avoiding the installation or use of Internet Explorer, Outlook, and a host of other integrated Microsoft operating system 'add-ons'.

Lose 'em -- *don't use 'em*!