Watch out! Incoming mass hack attack

[gem]

From The Register

Watch out! Incoming mass hack attack
By electricnews.net
Published Friday 25th June 2004 10:26 GMT

Security experts have expressed serious concern about recently-discovered flaws in Internet Explorer that seem to be the focus of an insidious attack.

The exact nature of the problem is unclear, although experts within many of the world's top e-security firms, as well as the SANS Institute and the US Department of Homeland Security, have acknowledged that something is amiss.

It seems that many popular websites, including search engines and shopping sites, have been secretly hacked and have had mysterious code placed on their Web servers. When a user running Internet Explorer logs on to a contaminated site, the user's PC is infected with malicious code, which has the potential to cause further problems.

Backdoors are opened on infected PCs and some experts have said that key logging software is also installed, allowing the creators of the code to steal passwords, PIN numbers and credit card details. Other experts suggest that the hackers behind the malware are actually loading computers with so-called "adware" or "spamware" software that can push unwanted ads to users or steal personal data for the purpose of spam emailing.

A few experts have pointed to the possibility of an enormous Distributed Denial of Service (DDoS) attack once enough computers are converted into zombies, but most have dismissed this possibility.

"This is what everyone has been really frightened about for a while now," said Conor Flynn, technical director with Rits Information Security in Dublin. The fear is rooted in the fact that there is no patch from Microsoft for the flaws, nor is there any indication that a patch is on the verge of being released. Though the virus-like infection rate remains low, experts like Flynn say the matter could become a more serious problem unless a fix is released soon. "There is no question that this one could be devastating," he said.

While some exerts are looking to develop fixes, others are busy tracking down the perpetrators, who could be spammers, one of the few groups to have made money from hacking. Others say the engineers could include Eastern European or Russian-organised crime gangs, noting that the "high quality" code that infects websites redirects browsers to Russian-based Web servers.

For website proprietors, the best defence is to ensure that Web servers are fully patched and guarded against all attacks - particularly those running Internet Information Server (IIS), which seems to be a favourite of attackers due to previously revealed vulnerabilities.

Home users, meanwhile, should shut down options like ActiveX on Internet Explorer, which is a mechanism used by malicious code to upload onto PCs. Some experts have gone as far as to recommend that users switch to Opera, Safari, Netscape or Mozilla, Internet Explorer's rival browsers.

© ElectricNews.Net

[Zer02004]

There are at least two serious exploits within IE that have been known about for some time.
Microsofts reaction seems to have been to bury it's corporate head deep in the Redmond sand.

[crankykick]

CHECKING FOR INFECTION

Click the Start button and then click on Search
Make sure you choose the option to look through all files and folders
Search for files called Kk32.dll and Surf.dat
If infected use up to date anti-virus software to remove the malicious code

Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole in it.

Is this it?

[Bluescrew]

This is why I love Opera browser and never use IE.


BS

[crankykick]

Hasn't Opera got adverts on it

I'm On firefox at the mo

[Bluescrew]

Mine hasn't


BS

[Dave Smith]

I use Firefox for all of my browsing except a few sites that onlywork properly with IE.
Hopfully this will avoid most of the attacks.

regards

[Zer02004]

From Kaspersky Labs:

Russian hackers investigate new vulnerabilities

Kaspersky Labs, a leading information security software developer,
announces a new case of mass infection, caused by a combination of
malware and unsanctioned access to computer systems. Web servers running
Microsoft Internet Explorer (ISS) 5 are affected, and individual
computers will become victims when the user views an infected site using
Internet Explorer.

An unusual method is used to infect victim machines. Web servers are
compromised using a JavaScript Trojan, Trojan.JS.Scob.a. It is not yet
clear whether the servers have been compromised via a new vulnerability,
or an already documented one.

When Internet Explorer is used to view a site on an infected server, the
Trojan will take control of the victim machine, and redirect the browser
to a site containing a PHP script. This is done using an unknown
vulnerability in Internet Explorer. A version of Backdoor.Padodor (w, x,
y, or z) will then be installed on the victim machine. This spy program
enables full remote control over victim machines.

Padobor's code contains the line 'Coded by HangUpTeam', leaving no doubt
as to the author's identity. The use of this program makes it likely
that the current attack was initiated by the HangUp Team, an
internationally known group of hackers and virus writers. The group is
responsible for a number of malicious programs, including the recent
Padobot worm, aka Korgo. This worm attacks victim machines by exploiting
vulnerability in Windows LSASS, and receives remote commands via IRC
channels.

The HangUp Team was founded by three inhabitants of Archangel, Russia.
In 2000, they were arrested and placed on probation for creating and
distributing malicious code. However, the HangUp Team is still active,
and has members from throughout the former Soviet Union, and possibly
from other countries. The group is also notorious for its strong ties
with the spamming industry, which uses networks of zombie machines
created by the HangUp Team. Such networks are created using Trojans:
once a proxy-server is configured, these networks can be used as
spamming platforms.

We may be talking about a zero-day exploit here - a vulnerability which
no-one knows about, and which there is no patch for. The hackers may
have discovered the vulnerability themselves, or paid for the
information, and compromised IIS servers around the world in order to
distribute this Trojan spy program. We have been predicting such an
incident for several years: it confirms the destructive direction taken
by the computer underground, and the trend in using a combination of
methods to attack. Unfortunately, such blended threats and attacks are
designed to evade the protection currently available,' commented Eugene
Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

Updates for Kaspersky Labs anti-virus databases already contain
definitions of Trojan.JS.Scob.a, variants.x, .y., z and
Backdoor.Padodor.

[silver]

apparently they've taken down the russian site that was sending out the exploit (for now anyway)

http://software.silicon.com/malware/...9121722,00.htm

Web surfers are no longer playing Russian roulette each time they visit a website, security researchers say, now that a far-reaching internet attack has been disarmed.

The attack, which had turned some websites into points of digital infection, was nipped in the bud on Friday, when internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised websites are still attempting to infect web surfers' PCs by referring them to the server in Russia but that computer can no longer be reached.


Still, web surfers should take precautions, as the internet underground is increasingly using this type of attack as a way to get by network defences and infect officer workers' and home users' computers.

"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."

The attack worked by infecting some websites so that when net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been. Some have speculated that the purpose could have been spam distribution.

"It is a tremendously powerful way to get into a corporation," Huger said of this sort of attack. "It is significantly easier to lure a number of employees to a compromised website than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself on victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected website and his system became infected. Additionally, last fall, a similar attack may have been facilitated through a mass intrusion at Interland, sources familiar with that case said.

The Internet Explorer flaws that enabled the Russian attack, however, affect every user of the web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some web functionality. The company also promised a patch for the flaws soon.

"We are not seeing that this threat is widespread but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response centre.

Researchers believe that attackers seed the websites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's web software, Internet Information Server, or IIS.

After that code redirected them to one of two sites, most often to the server in Russia, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.

It's unknown how many websites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected sites is relatively small, given the total number of sites that exist.

Still, the network of compromised sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a net threat-monitoring site.

"This is the first time that this many web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well, because the exploit wasn't as effective."

Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.

Sil

[silver]

from http://www.winnetmag.com

The June 16 Security UPDATE includes a link to the news story "New IE
Flaws Might Allow Code Injection," which describes a relatively new
attack method being used by both intruders and purveyors of suspicious
or malicious software to infest systems that use Microsoft Internet
Explorer (IE). Jelmer Kuperus said that the attack uses Javascript,
iframes, PHP, and timing techniques to gain access to the trusted
intranet zone on a user's system. According to Kuperus, the exploit
also "uses several known vulnerabilities and two previously unknown
vulnerabilities." One of the vulnerabilities, for which no patch
exists, involves ActiveX Data Objects (ADO).
http://www.winnetmag.com/article/art...959/42959.html

Through this attack method that uses multiple vulnerabilities, many
people's systems (possibly even the systems of some of you readers)
have become infected with various sorts of software, most of which is
annoying, if not outright dangerous. For example, nefarious entities
have installed adware that generates an endless stream of pop-up
windows on users' systems. That's the lighter side of the problem
though.

As you can learn by reading the news story "Vulnerable IIS Sites and
IE Users Under Attack" below, yet another factor was added to the mix
last week, this time involving Microsoft IIS. Using the IIS
vulnerability described in Microsoft Security Bulletin MS04-011
(Security Update for Microsoft Windows) on systems that haven't yet
been updated with a patch that's been available since mid-April,
intruders can inject Javascript into a server's Web pages. The
Javascript then uses a technique similar to the one I described above
to get IE to download Trojan horse software onto an unsuspecting
user's systems. The Trojan horse program then gathers ("phishes")
log-on and financial information.

So now instead of intruders having to establish their own Web sites to
host malicious Javascript code, they're penetrating unpatched IIS
systems around the Internet that host legitimate Web sites. As Bugtraq
mailing list moderator David Amhad points out in a June 25 posting,
these combined vulnerabilities have "no dependence on version or
memory layout or any other such messy factors, firewalls are totally
irrelevant and VPNs become basically a free ride in, [and] the browser
doesn't end up crashing (i.e., the victim remains blissfully unaware
that they've been owned)." These combined vulnerabilities have the
potential to become devastating.
http://www.securityfocus.com/archive...5/2004-07-01/0

Some preventive steps are obvious, and some aren't so obvious,
depending on the user or administrator. Obviously, loading the IIS
patch MS04-011 on your servers will stop intruders from manipulating
the servers' Web pages into hosting malicious code. Turning off
scripting in the IE security zones will also protect users to a
certain extent. But in countless scenarios, turning scripting off just
isn't possible. And sometimes scripting is essential to a Web site's
usability. Many of you probably already know how to improve security
in IE, but in case you don't, Microsoft has some recommendations that
you can read at the following URL:
http://www.microsoft.com/security/in.../settings.mspx

One workaround if you can't turn off scripting is to disable ADO
databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a
simple registry script that does this very thing and one that undoes
the changes. He also wrote an executable program that disables and
re-enables ADODB. You can download the scripts and executable program
at the eEye Web site.
http://www.eeye.com/html/research/al...l20040610.html

Sil

[gem]

From The Register

Malware attacks IE users via pop-ups
By electricnews.net
Published Wednesday 30th June 2004 12:10 GMT

Another warning has been issued over data-stealing malware that exploits a vulnerability in Internet Explorer.

Although the threat from last week's "download.ject" attack has subsided, malware authors have not missed a beat in their efforts to use flaws in Internet Explorer as a gateway to steal banking and credit card information.

The malware, which has been identified by the SANS Institute, is delivered to users' PCs through pop-up windows that appear when users log on to financial portals.

It seems that the suspect pop-ups are delivered on certain websites that run ads from third-party ad servers, which appear to have been hacked. When the pop-ups appear, vulnerable versions of Internet Explorer begin downloading a malicious file that records activity - such as passwords - onto the infected PC and sends that data to a server reportedly located in Estonia.

Some 50 financial institutions have been affected, reports claim, and a patch for the exploit used by the as-yet-unnamed malware has not been released.

The latest trouble is sure to add to the pressure Microsoft is facing with Internet Explorer. The new warning comes less than a week after it was discovered that a number of websites running Microsoft's Internet Information Server 5.0. had been hacked

. The attackers then dropped code onto the compromised servers which exploited a vulnerability in Internet Explorer. This installed Trojan horses and keyloggers on the computers via IE to the visitors of the compromised sites.

Microsoft is said to be working feverishly to deliver patches for these "zero-day" bugs, and there is now speculation that the company has decided to rebuild Internet Explorer from the ground up in order to ensure that the software is air-tight.

Meanwhile, US-CERT is telling users to deactivate certain advanced functions in Internet Explorer, such as ActiveX, to help prevent infection from a whole range of viruses and Trojans. Deactivation of these higher functions is not a cure-all and could impact on the functionality of some sites, experts say.

An even safer route would be to switch to a rival Internet browser like Netscape, Safari, Opera or Mozilla.