SOURCE:
http://www.informationweek.com/story/showArticle.jhtml?
articleID=22102178
A major Internet attack that installs hacker tools on
users' systems is subsiding, security experts say. But
more copycat attacks are possible in the days ahead.
By George V. Hulme
A widespread attack that targeted major E-commerce sites
and secretly planted hacker tools on the computers of
Internet surfers is subsiding, security experts say.
Security experts estimate that thousands of Web sites were
compromised in the past week. The attack, which may have
begun as early as Sunday, didn't attract much attention
until late Thursday evening when it was identified by
Internet security firms.
Most of the Web sites known to have been infected have
been cleaned, security analysts say. Also, Internet
service providers have blocked access to, or "black-
holed," the Russian server that was planting the hacker
tools on user PCs.
Alfred Huger, senior director of engineering for Internet
security firm Symantec Corp., says Web sites running
Microsoft's Internet Information Services software version
5.0 were attacked and infected with a malicious JavaScript
application. When Web surfers visited affected sites,
their computers were subsequently infected through
multiple vulnerabilities in Internet Explorer.
Once a Web surfer's system was attacked by the malicious
JavaScript application, the surfer's computer was
connected to a server located in Russia and infected with
hacker tools such as backdoors and keystroke loggers,
which could be used to take control of the user's system
or steal confidential information.
While patches are available for most of the Internet
Explorer vulnerabilities used in the attack, no patch is
available for one of the flaws, commonly known as the
ADODB vulnerability.
It's still unclear how the attackers managed to
successfully compromise Web servers running Microsoft's
IIS software, security experts say. "It's something we're
looking into," Huger says.
It's possible, but unlikely, that systems running
Microsoft IIS 5.0 software could have been attacked by
a "zero-day" vulnerability, which is a new software flaw
that's unknown and unpatched by software vendors, says
Marcus Sachs, director, of The SANS Institute's Internet
Storm Center. "That's the worst-case scenario," he says.
Other possibilities include Web servers that
administrators believed to have been patched but were not,
or Web servers that could have been attacked through
vulnerabilities unrelated to IIS 5.0.
Security experts warn that future attacks are
possible. "Others may attempt copycat attacks, especially
if there is a zero-day attack in IIS," Sachs says.
Major antivirus companies have updated their software to
spot the malicious code downloaded to end-user systems in
this attack.
Microsoft is urging Web-site operators running Windows
2000 Server and IIS to apply a patch found in Microsoft
Security Bulletin MS04-011.
Microsoft has published a Web site with more information
about this attack and the IIS and Internet Explorer
vulnerabilities; it's located at
www.microsoft.com/security/incident/download_ject.mspx.