Posted on 06/25/2004 10:41:28 PM PDT by Ernest_at_the_Beach
|
 |
|
| Internet Attack Exploits Microsoft Software Flaws Fri Jun 25, 2004 08:25 PM ET By Duncan Martell SAN FRANCISCO (Reuters) - A potentially dangerous attack on personal computers by a virus designed to steal financial data and passwords from Web users rippled across the Internet on Friday, computer security experts said. The attack, which surfaced earlier this week and is known as the "Scob" outbreak, exploits a vulnerability in servers using Microsoft Corp.'s IIS software and has been called more dangerous than the recent "Sasser" and "Blaster" infections. The infected servers in turn exploit another vulnerability in Microsoft's Internet Explorer browser to install a Trojan Horse virus on the PCs of Web surfers who visit the infected Web sites, said Alfred Huger, senior director of engineering at Internet security company Symantec Corp. "All of this takes place while it looks like you're viewing the same Web page," Huger said. "You don't even know that parts of your browser have been redirected to another Web site."
The U.S. Computer Emergency Readiness team warned on its Web site that "any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code." The Trojan Horse places a keystroke logger on users' PCs and is designed to capture credit card numbers and passwords and send them back to a server in Russia, said Michael Murray, director of vulnerability and exposure at computer security firm nCircle Network Security.
By late Friday, however, the threat to users' personal data has been diminished, at least for now. "The server appears to have been shut down in the last eight hours," Murray said. "We don't know if it was shut down by authorities or whether it was accidental." The attack is more alarming than most because there are no patches available yet from Microsoft to fix the vulnerability in Internet Explorer that lets the hackers take control of computers, security researchers said. On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected. The company also suggested users set their browser security level to "high."
Experts also urged computer users to update their anti-virus software protection software Most anti-virus software has been updated so that it can prevent the Trojan Horse from being installed, but because there is no patch yet available, there's no way to prevent future attacks to install the virus, Huger said.
"The truly alarming part is there is no patch available for that vulnerability," Huger said.
|
|
Well, let me amend that.
The other thread isn't a duplicate
of the report, but of the story.
Perhaps the key thing here is:
"The truly alarming part is there is no patch
available for that vulnerability,"
Even if you have an AV and a FireWall app (and
I do), because this exploit targetted "trusted"
sites, you may have let configured scripting
guard for reduced security for those sites, and
got hit - if you use MSIE.
Update your AV definitions tonite and run a
full scan.
It would appear that the only solution is to
use another browser, until MS releases more
secure code (or becomes a smaller target for
malware coders).
Norton picks it up as "download.ject" and stops it from scripting, thereby rendering it harmless. I got hit with it twice in the last three days. It attacks only those web servers which have not applied a certain patch to IIS software. If you visit a website hosted on a server without the patch, and Scob has found that server, you're vulnerable to "download.ject" if your anti-virus software has not been updated to stop it from scripting.
The other thread got moved to the blogger section which isn't as visible.
This is a sourced story so should ( I think ) stay in the news section which is currently seen by many more folks.
Thanks for putting the Link to that thread since there was a pretty decent discussion on browsers and in particular on Firefox, which I am using at the moment.
Seems to work OK, still need to do more customization of the options.
Attacks like this are the reason you should be using an active firewall. I use a NAT firewall in my router which blocks all normal incoming "probe" type attacks. However, firewalls will typically do nothing to prevent a trojan implant from a site which YOU visit.
A second line of attack is a firewall like ZoneAlarm [It is effective and it is FREE!]. The advantage of ZoneAlarm is that it will block messages being sent FROM your computer by untrusted software. You are forced to authenticate each application on your computer which sends messages.
If a trojan is installed, and if it collects private data, then it should still be blocked when it attempts to send the data back to the collection server.
*****
I keep my machines fairly up to date and my Norton virus protection very up to date. However, I visited a site supposedly selling equipment for the visually impaired. It looked legitimate. However, Norton did sound an alarm that a trojan was detected. Norton did NOT inform me that it had not prevented the infection. I didn't find out about the infection until the next scan two days later.
At the time of the scan, Norton was unable to delete the virus, which was running at the time. I could examine the virus enough to determine that it had been constructed in Russia at a firm started in 1991/2 to "monitor Russian legislation". [sure!]
I hand cleaned up the mess and found two collection files with email addresses that the virus had secreted away on my machine for later mailing.
The files installed, BTW, had randomized names so that searches on the executables did not produce any hits. Norton could not identify the trojan, it simply detected that an unidentified trojan was in operation on my machine.
BTTT
I switched from Norton to VCOM's System Suite and they use Trend's (I think it is )antivirus system.
I am also using the Firefox browser for awhile and see if I like it.
Check out the link at #2.
I am running VCOM's system Suite 5 which has a firewall that detects in and Out.
Seems pretty good.
I wonder why it didn't bother me?
Oh ya, I'm using Firefox.
How long has explorer been out? Seems like the software engineers at Microsoft are complete idiots if they can't put together a program without flaws within 15 years.
I use VCOM System Suite 5 as well, I think it's great. Yes, VCOM System Suite uses Trend-Micro's virus engine.
I having been using Powerdesk forever and decided to try the whole suite.
Cool! I actually prefer Powerdesk to Windows Explorer. I had only wished I had stumbled upon Powerdesk ages ago.
Shadowace is guy to ask if you have questions on Firefox or mozilla.
There is also a user forum at the websites for mozilla and Firefox.
What browser are you running?
I can't find one thing that I don't like about System Suite. It's very powerful, and runs on both my 98 and XP machines.
CNET Article on the virus here:
Exactly! When you uninstall it, it wouldn't uninstall everything properly and would give you a list of "cannot find *.exe file" error screens at bootup.
I laughed one time when I was fixing these errors on a computer network at the local insurance agent, and installed Mcafee and that installation package came up with an error box that said "we've detected stray files from Norton Anti-Virus exists on your computer, would you like us to get rid of these files?" and I clicked yes, and McAfee cleaned up Norton and successfully installed itself.
Everyone should keep in mind that these vulnerabilities
are designed in, so that Gates and his Hollywood buddies
can spy on you. Over time, these situations can
be exploited by others.
ROFL!
Symantec just picked up Powerquest so now I may need to look for a replacement for Partition Magic.
Although disks have really gotten inexpensive so not such a big deal now.
True. I'm going to get a second hard drive and the one I have now will be used as a backup drive.
Well this little virus thingie may just get me to move over to Linux, since the browser is the big issue and Firefox seems to be working well for most of what I do, and it will run on Linux.
I have a bunch of storage.
For all of us home users who are stuck with the Redmond operating system, I'd recommend trying to get ALL other software from SOMEWHERE ELSE for safety, NOT from microsoft.
I like the site nonags.com for very good open sourced software. These people for the most part ONLY recommend, test, and rank free software that does NOT NAG you for money to upgrade to a 'better version'.
If you need anything more commercial than that, I'd say the non-MS versions of software will be as good or better, and less virus-prone, than MS versions.
martin_fierro also had a good list of software for PC protection (except for the part about Opera).
Whichever email system you use.. BE SURE to turn OFF the reading of mail in HTML MODE. Read all messages in 'TEXT ONLY' mode or else you can be infecting your system JUST by reading a message (even without opening attachments).
Another reason to not allow HTML mode in your email reader, is that built-in images in the message (sometimes they're even invisible) will confirm to spammers that your email address is valid.
BTTT for later.
Thanks, but I use Apple products only. Safari is my browser. Microsoft is a dirty word in this house.
Thanks, beckett...I am a computer dunce and don't know how to look for this invasion, but I do have Norton on auto update...Norton has never found a virus when it scans my files.
Thank you
Well I don't what was causing problems on my computer this week
But I did want to beat the heck out of it with a baseball bat
Ping
The move to Firefox is a very easy move, suggest you both look at it.
Shadowace had some good tips on the thread he started , now in the blogger chat area.
Link to it above here somewhere.
I am doing this right now under Firefox.
There are a few things to learn, but not many , use the right click on the mouse a bit more.
Firefox doesn't have the mail capability so is much smaller than IE.
If you are a big user of mail, then Mozilla has that.
Link at post #2.
Thanks. Is there any way to tell if my computer has the virus? I ran a virus scan yesterday and it appeared that there was no problem(yet.)
Click the button to learn about email that's much safer than Outlook. Firefox's companion, Thunderbird.
What do the headers have to do with anything? I see no reason to believe they mean that MS software exists behind them.
Thanks for the information!
After it was detected on my machine I checked at Symantec and found the names of the two registry keys that "download.ject" writes and searched the registry for them. They were not there. I also searched my hard drives for Kk32.dll and Surf.dat. Again, nada. So it seems Norton successfully slams the door on this thing.
I cannot verify who owns the website that Bush2000
recommended for getting Spybot (security.kolla.de)
One WHOIS service shows NO REGISTRANT.
Another WHOIS service shows "INVALID"
Spybot Search and Destroy is a VERY good program and I
highly recommend it for cleaning up a system...
The official site, registered by the author of SPYBOT is
http://www.safer-networking.org/index.php?page=spybotsd
I don't know that Spybot will catch this bug yet.
So far, I've only heard that the Symantec tools can find it.
I also see post #46 has some more info
>>I see no reason to believe they mean that MS software exists behind them.
You 'might' be right. I might have been premature, because
I do not KNOW that Opera is a licensed repackaging of microsoft's IE.
However, their headers indicate they are COMPATIBLE with
IE. Therefore if the security bug is systemic to one of
the javascript commands that is unique to MS's definition
of javascript, then it COULD have the same problem.
I had not heard ANY security experts recommending opera
yesterday, but did hear of some recommending Mozilla/Firefox.
And some specifically said the bug does NOT affect
the later pair.
Before I switched from IE to mozilla, my weekly ad-aware and spybot scans would turn up an average of 50 spyware cookies.
Since the switch, the weekly scans might turn up 1 or 2 spyware cookies.
Regarding a switch to linux, I've been considering switching too, but still keeping windows as a partition for local work only.
> I recommend users do NOT install OPERA as an
> alternative to IE at this time, since that
> appears to be a SPINOFF from IE.
Unless there is evidence of an actual Opera user
being compromised during the current infection
cycle, I'd tend to dismiss the above as being
unsupported speculation.
> However, their headers indicate they are
> COMPATIBLE with IE.
I'd be more inclined to think that the headers
are spoofed so that Op users have less trouble
with bozo sites that claim to be MSIE-only, not
because they're hard-coded to some MS'ism, but
just because that's all they tested against.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.