Most Web Users Safe As Major Net Attack Slows

Although the site was up as late as early Friday morning, later in the day it was inaccessible. Multiple security firms confirmed that the site was down, and TechWeb was also unable to reach the site.

The attack, considered to be among the most sophisticated to date, first compromises Microsoft IIS servers, then appends malicious JavaScript code onto each page served by the infected site. End users who simply view an infected page are invisibly redirected to the Russian hacker site, which then loads one of several backdoor components and a key logger to the PC.

"The [hacker] domain is no longer available," said Ken Dunham, director of malicious code research at iDefense. "Although it could be due to high levels of traffic to the site, it's more likely it's been made unavailable because of the malicious content it was hosting." McAfee's virus research manager, Craig Schmugar, also confirmed that the site was down.

While that eliminates the immediate threat to Internet Explorer users - with the site offline, nothing can be downloaded to compromised machines - this is nowhere near the end of the story, said security experts.

id
unit-1659132512259
type
Sponsored post

"This [attack] is only in the early stages," said Dunham, "and the IP address [for the Russian site] could easily be changed in future variants. Even as these hacker sites rise up and fall down, we still have the attack issue to deal with."

More attacks are probably in the offing because of the group behind the attack. "It looks like the HangUP Team out of Russia is doing this," he said. F-Secure, a Finnish anti-virus firm that's been aggressively analyzing the attack, also pegged HangUP as the most likely culprit.

HangUP, a for-profit malicious code-cutting group out of Russia, developed the backdoor Trojan horses that were uploaded to client systems exploited by Friday's attack. Those Trojans "are designed to steal credit card and other information that is then marketed to organized identity theft markets," said Dunham.

The reason why Dunham and others expect additional attacks is because of HangUP's past practice with the Korgo worm, which the group is also suspected of writing. Korgo, now in its eighteenth variation, exploits the LSASS vulnerability in Windows which was made public several months ago.

"It's highly likely that we'll see additional attacks, if, in fact, HangUP is behind this, because of the number of Korgo variants it's put out," said Dunham.

Other reasons why hackers will continue to exploit the situation are the ongoing confusion about how the servers -- and the sites hosted on them -- became infected in the first place, and the ongoing vulnerability of Internet Explorer.

"That's the biggest mystery," said Mikko Hyppnen, F-Secure's director of anti-virus research. "Nobody seems to know how they were initially infected." Security firms are still trying to puzzle out whether the servers were exploited through a known vulnerability -- the most likely culprit is one patched by Microsoft in April-- or a so-called "zero-day" vulnerability. Exploits of zero-day vulnerabilities attack flaws for which no patch is available, and are considered worst-case by security experts.

Internet Explorer also remains vulnerable, said Dunham, contrary to Microsoft's claim. The client can be infected by such attacks through two vulnerabilities. One was patched in April but the second is a zero-day vulnerability called ADODB. (A patch against ADODB was issued in November 2003, but it doesn't protect against this newest exploit.)

"Microsoft has said if you're fully patched you're okay," said Dunham, "but we took live exploit code and ran it on a fully-patched client, and the code ran just fine."

In a document classified as "Critical," Microsoft tells users to visit Windows Update, the company's security update service, to protect themselves against the attack.

The stakes are high. End-users' systems not only were infected by backdoors, but also by a key logger. Early Friday morning, F-Secure's Hyppnen said, "[The key logger] is stealing confidential information from thousands or tens of thousands of machines. That information can be passwords, usernames, credit card numbers, bank account numbers, anything really."

According to Symantec, the key logger trapped and transmitted authentication info -- usernames and passwords -- used to log in to major Web sites, including eBay, PayPal, EarthLink, Juno, and Yahoo.

"The key logger is stealing credentials of those going to those sites," said Alfred Huger, vice president of engineering for Symantec's virus watch group, "but that doesn't mean the sites themselves are infected."

With such stakes -- high volume identity theft -- in play, it's increasingly clear that Friday's attack will be only the first of many.

"It looks like this is something that we'll have to learn to live with," said Symantec's Huger. "The JavaScript is out there, the exploit is out there. Hopefully, we'll never be put in the position of having to walk away from the Web because we don't know which sites are safe, and what aren't. If that happens, we've lost."

Until a solid patch is available, some experts are advising users to disable JavaScript in Internet Explorer, or switch to a non-IE browser.

"You can configure IE to be more secure, and disable the funationalty of JavaScript," said McAfee's Schmugar. "But that puts users between a rock and a hard place."

Huger of Symantec took a different tack. "At this point, I think it's totally appropriate to have two browsers," he said.

For more on the attack, see CRN

This story courtesy of TechWeb.