PC Users Warned of Infected Web Sites

From: IE Flaw (anonymous_at_discussions.microsoft.com)
Date: 06/25/04

Date: Fri, 25 Jun 2004 13:02:59 -0700

By Brian Krebs
washingtonpost.com Staff Writer
Friday, June 25, 2004; 3:30 PM

Computer security experts and the federal government are
warning Internet users to take extra precautions when
browsing the Web after an Internet attack seeded Web sites
with programs that hackers can use to steal personal

The attack is more dangerous than most, according to the
government's US-CERT cybersecurity center, because it
affects even computers that are running updated antivirus
and firewall software. Infection is possible just by
visiting affected Web sites, according to US-CERT, a
division of the U.S. Department of Homeland Security.

The attackers, whose identities are unknown, targeted a
flaw in Web sites powered by Microsoft's Internet
Information Server (IIS). The sites hit by the attack were
programmed to redirect the Explorer browser to another Web
site that contains code that hackers use to record what
people type on their keyboards -- including data such as
passwords, credit card and Social Security numbers. The
code then e-mails that information back to the attackers.

Computers that run Microsoft's Internet Explorer browsers
are vulnerable to infection, according to US-CERT. The
CERT alert said Internet Explorer users can protect
themselves by turning off the "javascript" function in
their browsers. Javascript is a computer language often
used in building Web sites. The attack takes advantage of
two recently discovered security flaws in Internet
Explorer. Microsoft released a patch in April to fix one
of the security holes; the company is still working on a
patch for the other flaw, which security researchers
publicly detailed less than two weeks ago.

CERT recommends that Internet Explorer users consider
different browsers such as Mozilla Firefox, Netscape
Communicator or Opera. For people who continue to use
Internet Explorer, CERT and Microsoft recommend setting
the browser's security setting to "high."

Among the several Web sites hit were kbb.com, the Internet
address of the Kelley Blue Book automobile pricing guide,
and MinervaHealth, a health care financing company based
in Jackson, Wyo.

Robyn Eckard, a spokeswoman for the Irvine, Calif.-based
Kelley Blue Book, said the company learned about the
problem late Wednesday after Web site visitors said their
antivirus software tipped them off to the code. Eckard
said Kelley Blue Book removed the malicious code from its
site by late Thursday afternoon.

Jennifer Scharff, vice president of marketing for the
company MinervaHealth, said some of the company's clients
reported the problem on Thursday. The company has since
fixed its site, she said. Scharff said no more than 50
visitors browsed the Web site during the time it was
serving up the hostile code.

In addition, at least one auction page on the eBay online
auction site contained a photograph that links to an
infected Web site, said Johannes Ullrich, chief technology
officer for the Bethesda, Md.-based SANS Institute's
Internet Storm Center.

Ken Dunham, malicious code manager for Reston, Va.-based
security company iDefense, said the attack bears the
trademark signatures of the Hangup Group, a Russian hacker
organization thought to be responsible for unleashing the
recent "Korgo" worms. Korgo worms allow hackers to read
what people are typing on their computers and scours
infected PCs for other financial information.

According to SANS, most large Internet service providers
stopped forwarding Internet traffic to the Russian Web
site that hosts the "keylogging" software.

FBI spokesman Joe Parris declined to say whether the
agency is investigating this particular attack. But Parris
said hackers commonly use similar Trojan horse
techniques. "We work closely with Microsoft in
investigating matters of this type and always follow up on
any information provided by industry," he said.

Dunham and other security experts said they expect this
kind of attack to become more widespread in coming weeks
and months.

"These guys have the tools, techniques and motivation to
launch highly sophisticated attacks that are very
difficult for consumers to protect themselves against," he
said. "Whoever is responsible has just seen how well this
attack works, and other (hacker groups) are almost surely
going to take notice."

Stephen Toulouse, a security program manager at Microsoft,
said the company does not believe the attack is
widespread. "Nonetheless, we view this is a very real
threat, with serious significance in terms of the
potential impact on our customers," he said.

Toulouse said the company is gathering information on the
attack and will hand it over to the FBI.

Security experts said it is not yet clear which Microsoft
vulnerability the attackers used to commandeer the Web
sites. Ullrich said the culprit is a flaw in the way IIS
processes secure login pages for Web sites that require
users to enter a username and password. Microsoft released
a patch for that flaw in April in a massive bundle of
security fixes.

Toulouse said that the proprietors for the majority of
sites affected by the attack failed to install the

SOURCE: http://www.washingtonpost.com/wp-

Relevant Pages

  • [NT] Vulnerability in OLE Automation Allows Code Execution
    ... Get your security news from a reliable source. ... This critical security update resolves a privately reported vulnerability. ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
  • [Full-disclosure] STEP Security
    ... Internet-Drafts are working documents of the Internet Engineering ... security in otherwise insecure environments. ... APT (Another Possible Threat) ... of a cyber attack before more terabytes of data are exfiltrated from ...
  • [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Windows Shell due to ... Prevent the WebViewFolderIcon ActiveX object from running in Internet ... Web sites that use the WebViewFolderIcon ActiveX ...
  • [NT] Vulnerability in OLE Automation Allows Code Execution (MS07-043)
    ... Get your security news from a reliable source. ... Vulnerability in OLE Automation Allows Code Execution ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
  • [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)
    ... Get your security news from a reliable source. ... A privilege elevation vulnerability exists in Windows because of the way ... MS03-040 or a later Cumulative Security Update for Internet Explorer. ... Note Setting the level to High may cause some Web sites to work ...