The bad guys have apparently found a new vulnerability in web servers running on Microsoft’s Internet Information Server (IIS) 5 and have hacked some pretty big name sites with code that could infect your PC with a virus merely by visiting a web page using yet another vulnerability in Internet Explorer. Word of this new threat went up on the US-CERT webpage just yesterday and a related article on CNet’s News.com was reporting that as of yesterday there wasn’t a patch available from Microsoft to fix the vulnerability and the major anti-virus companies weren’t ready with a DAT update to detect the virus if it is installed on your system. Compromised webservers are appending a JavaScript to the bottom of webpages that attempts to contact a remote server and download the virus to your PC so for the time being folks are being encouraged to turn off JavaScript in your browser.
The group also pointed out that the malicious program uploaded to a victim’s computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available.
Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft’s Web software, Internet Information Server (IIS). When a victim browses the site, the code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim’s PC. The software records the victim’s keystrokes and opens a back door in the system’s security to allow the attacker to access the computer.
Currently, researchers have two theories as to who is behind the attacks. The Internet Storm Center pointed to the similarities between these attacks and previous virus epidemics aimed at co-opting computers for use in illegal spam networks.
“There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing ‘spamware,’” the group stated on its site. “We don’t see any evidence that this attack is related to the construction of a DDoS (distributed denial of service) network or other type of typical zombie-based attack group.”
However, Symantec believes that the attacks last fall and in April, which the current one most resembles, were conducted by online organized crime groups from Russia. The theory is supported not only by the fact that the server storing the malicious code is in Russia, but also by the sophisticated nature of the attacks, Symantec’s Huger said.
“It’s a group of people that have resources to bring to play,” he said, adding that the attack programs were not amateur material. “The code wasn’t pulled off a Web site; it was custom.”
Either way, this one is nasty so take steps to protect yourself and be sure to check with your anti-virus company and Microsoft’s Windows Update regularly for any patches and updates that will be available soon, if not already.
