Re: PC Users Warned of Infected Web Sites

From: BG (bg2_at_uasystem.ua.edu)
Date: 06/25/04 

Date: Fri, 25 Jun 2004 16:36:56 -0500

Does this affect IIS6 on Win2003?

"IE Flaw" <anonymous@discussions.microsoft.com> wrote in message
news:2190d01c45aef$69def700$a101280a@phx.gbl...
> By Brian Krebs
> washingtonpost.com Staff Writer
> Friday, June 25, 2004; 3:30 PM
>
> Computer security experts and the federal government are
> warning Internet users to take extra precautions when
> browsing the Web after an Internet attack seeded Web sites
> with programs that hackers can use to steal personal
> information.
>
> The attack is more dangerous than most, according to the
> government's US-CERT cybersecurity center, because it
> affects even computers that are running updated antivirus
> and firewall software. Infection is possible just by
> visiting affected Web sites, according to US-CERT, a
> division of the U.S. Department of Homeland Security.
>
> The attackers, whose identities are unknown, targeted a
> flaw in Web sites powered by Microsoft's Internet
> Information Server (IIS). The sites hit by the attack were
> programmed to redirect the Explorer browser to another Web
> site that contains code that hackers use to record what
> people type on their keyboards -- including data such as
> passwords, credit card and Social Security numbers. The
> code then e-mails that information back to the attackers.
>
> Computers that run Microsoft's Internet Explorer browsers
> are vulnerable to infection, according to US-CERT. The
> CERT alert said Internet Explorer users can protect
> themselves by turning off the "javascript" function in
> their browsers. Javascript is a computer language often
> used in building Web sites. The attack takes advantage of
> two recently discovered security flaws in Internet
> Explorer. Microsoft released a patch in April to fix one
> of the security holes; the company is still working on a
> patch for the other flaw, which security researchers
> publicly detailed less than two weeks ago.
>
> CERT recommends that Internet Explorer users consider
> different browsers such as Mozilla Firefox, Netscape
> Communicator or Opera. For people who continue to use
> Internet Explorer, CERT and Microsoft recommend setting
> the browser's security setting to "high."
>
> Among the several Web sites hit were kbb.com, the Internet
> address of the Kelley Blue Book automobile pricing guide,
> and MinervaHealth, a health care financing company based
> in Jackson, Wyo.
>
> Robyn Eckard, a spokeswoman for the Irvine, Calif.-based
> Kelley Blue Book, said the company learned about the
> problem late Wednesday after Web site visitors said their
> antivirus software tipped them off to the code. Eckard
> said Kelley Blue Book removed the malicious code from its
> site by late Thursday afternoon.
>
> Jennifer Scharff, vice president of marketing for the
> company MinervaHealth, said some of the company's clients
> reported the problem on Thursday. The company has since
> fixed its site, she said. Scharff said no more than 50
> visitors browsed the Web site during the time it was
> serving up the hostile code.
>
> In addition, at least one auction page on the eBay online
> auction site contained a photograph that links to an
> infected Web site, said Johannes Ullrich, chief technology
> officer for the Bethesda, Md.-based SANS Institute's
> Internet Storm Center.
>
> Ken Dunham, malicious code manager for Reston, Va.-based
> security company iDefense, said the attack bears the
> trademark signatures of the Hangup Group, a Russian hacker
> organization thought to be responsible for unleashing the
> recent "Korgo" worms. Korgo worms allow hackers to read
> what people are typing on their computers and scours
> infected PCs for other financial information.
>
> According to SANS, most large Internet service providers
> stopped forwarding Internet traffic to the Russian Web
> site that hosts the "keylogging" software.
>
> FBI spokesman Joe Parris declined to say whether the
> agency is investigating this particular attack. But Parris
> said hackers commonly use similar Trojan horse
> techniques. "We work closely with Microsoft in
> investigating matters of this type and always follow up on
> any information provided by industry," he said.
>
> Dunham and other security experts said they expect this
> kind of attack to become more widespread in coming weeks
> and months.
>
> "These guys have the tools, techniques and motivation to
> launch highly sophisticated attacks that are very
> difficult for consumers to protect themselves against," he
> said. "Whoever is responsible has just seen how well this
> attack works, and other (hacker groups) are almost surely
> going to take notice."
>
> Stephen Toulouse, a security program manager at Microsoft,
> said the company does not believe the attack is
> widespread. "Nonetheless, we view this is a very real
> threat, with serious significance in terms of the
> potential impact on our customers," he said.
>
> Toulouse said the company is gathering information on the
> attack and will hand it over to the FBI.
>
> Security experts said it is not yet clear which Microsoft
> vulnerability the attackers used to commandeer the Web
> sites. Ullrich said the culprit is a flaw in the way IIS
> processes secure login pages for Web sites that require
> users to enter a username and password. Microsoft released
> a patch for that flaw in April in a massive bundle of
> security fixes.
>
> Toulouse said that the proprietors for the majority of
> sites affected by the attack failed to install the
> patches.
>
> SOURCE: http://www.washingtonpost.com/wp-
> dyn/articles/A5524-2004Jun25.html

Relevant Pages

  • [NT] Vulnerability in OLE Automation Allows Code Execution
    ... Get your security news from a reliable source. ... This critical security update resolves a privately reported vulnerability. ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
    (Securiteam)
  • [NT] Vulnerability in Windows Explorer Allows Execution (MS06-057)
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Windows Shell due to ... Prevent the WebViewFolderIcon ActiveX object from running in Internet ... Web sites that use the WebViewFolderIcon ActiveX ...
    (Securiteam)
  • [NT] Vulnerability in OLE Automation Allows Code Execution (MS07-043)
    ... Get your security news from a reliable source. ... Vulnerability in OLE Automation Allows Code Execution ... compromised Web sites and advertisement servers could contain specially ... mode sets the security level for the Internet zone to High. ...
    (Securiteam)
  • [NT] Vulnerability in Windows Shell Allows Remote Code Execution (MS05-008)
    ... Get your security news from a reliable source. ... A privilege elevation vulnerability exists in Windows because of the way ... MS03-040 or a later Cumulative Security Update for Internet Explorer. ... Note Setting the level to High may cause some Web sites to work ...
    (Securiteam)
  • [NT] Vulnerability in Microsoft Agent Allows Spoofing (MS05-032)
    ... Get your security news from a reliable source. ... This vulnerability could enable an attacker to spoof trusted Internet ... this risk by modifying many security-related settings. ... the security level for all Web sites you visit to High. ...
    (Securiteam)