Posted on 06/25/2004 10:41:28 PM PDT by Ernest_at_the_Beach
Internet Attack Exploits Microsoft Software Flaws Fri Jun 25, 2004 08:25 PM ET By Duncan Martell SAN FRANCISCO (Reuters) - A potentially dangerous attack on personal computers by a virus designed to steal financial data and passwords from Web users rippled across the Internet on Friday, computer security experts said. The attack, which surfaced earlier this week and is known as the "Scob" outbreak, exploits a vulnerability in servers using Microsoft Corp.'s IIS software and has been called more dangerous than the recent "Sasser" and "Blaster" infections. The infected servers in turn exploit another vulnerability in Microsoft's Internet Explorer browser to install a Trojan Horse virus on the PCs of Web surfers who visit the infected Web sites, said Alfred Huger, senior director of engineering at Internet security company Symantec Corp. "All of this takes place while it looks like you're viewing the same Web page," Huger said. "You don't even know that parts of your browser have been redirected to another Web site."
The U.S. Computer Emergency Readiness team warned on its Web site that "any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code." The Trojan Horse places a keystroke logger on users' PCs and is designed to capture credit card numbers and passwords and send them back to a server in Russia, said Michael Murray, director of vulnerability and exposure at computer security firm nCircle Network Security.
By late Friday, however, the threat to users' personal data has been diminished, at least for now. "The server appears to have been shut down in the last eight hours," Murray said. "We don't know if it was shut down by authorities or whether it was accidental." The attack is more alarming than most because there are no patches available yet from Microsoft to fix the vulnerability in Internet Explorer that lets the hackers take control of computers, security researchers said. On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected. The company also suggested users set their browser security level to "high."
Experts also urged computer users to update their anti-virus software protection software Most anti-virus software has been updated so that it can prevent the Trojan Horse from being installed, but because there is no patch yet available, there's no way to prevent future attacks to install the virus, Huger said.
"The truly alarming part is there is no patch available for that vulnerability," Huger said.
|
Well, let me amend that.
The other thread isn't a duplicate
of the report, but of the story.
Perhaps the key thing here is:
"The truly alarming part is there is no patch
available for that vulnerability,"
Even if you have an AV and a FireWall app (and
I do), because this exploit targetted "trusted"
sites, you may have let configured scripting
guard for reduced security for those sites, and
got hit - if you use MSIE.
Update your AV definitions tonite and run a
full scan.
It would appear that the only solution is to
use another browser, until MS releases more
secure code (or becomes a smaller target for
malware coders).
Norton picks it up as "download.ject" and stops it from scripting, thereby rendering it harmless. I got hit with it twice in the last three days. It attacks only those web servers which have not applied a certain patch to IIS software. If you visit a website hosted on a server without the patch, and Scob has found that server, you're vulnerable to "download.ject" if your anti-virus software has not been updated to stop it from scripting.
The other thread got moved to the blogger section which isn't as visible.
This is a sourced story so should ( I think ) stay in the news section which is currently seen by many more folks.
Thanks for putting the Link to that thread since there was a pretty decent discussion on browsers and in particular on Firefox, which I am using at the moment.
Seems to work OK, still need to do more customization of the options.
Attacks like this are the reason you should be using an active firewall. I use a NAT firewall in my router which blocks all normal incoming "probe" type attacks. However, firewalls will typically do nothing to prevent a trojan implant from a site which YOU visit.
A second line of attack is a firewall like ZoneAlarm [It is effective and it is FREE!]. The advantage of ZoneAlarm is that it will block messages being sent FROM your computer by untrusted software. You are forced to authenticate each application on your computer which sends messages.
If a trojan is installed, and if it collects private data, then it should still be blocked when it attempts to send the data back to the collection server.
*****
I keep my machines fairly up to date and my Norton virus protection very up to date. However, I visited a site supposedly selling equipment for the visually impaired. It looked legitimate. However, Norton did sound an alarm that a trojan was detected. Norton did NOT inform me that it had not prevented the infection. I didn't find out about the infection until the next scan two days later.
At the time of the scan, Norton was unable to delete the virus, which was running at the time. I could examine the virus enough to determine that it had been constructed in Russia at a firm started in 1991/2 to "monitor Russian legislation". [sure!]
I hand cleaned up the mess and found two collection files with email addresses that the virus had secreted away on my machine for later mailing.
The files installed, BTW, had randomized names so that searches on the executables did not produce any hits. Norton could not identify the trojan, it simply detected that an unidentified trojan was in operation on my machine.
BTTT
I switched from Norton to VCOM's System Suite and they use Trend's (I think it is )antivirus system.
I am also using the Firefox browser for awhile and see if I like it.
Check out the link at #2.
I am running VCOM's system Suite 5 which has a firewall that detects in and Out.
Seems pretty good.
I wonder why it didn't bother me?
Oh ya, I'm using Firefox.
How long has explorer been out? Seems like the software engineers at Microsoft are complete idiots if they can't put together a program without flaws within 15 years.
I use VCOM System Suite 5 as well, I think it's great. Yes, VCOM System Suite uses Trend-Micro's virus engine.
I having been using Powerdesk forever and decided to try the whole suite.
Cool! I actually prefer Powerdesk to Windows Explorer. I had only wished I had stumbled upon Powerdesk ages ago.
Shadowace is guy to ask if you have questions on Firefox or mozilla.
There is also a user forum at the websites for mozilla and Firefox.
What browser are you running?
I can't find one thing that I don't like about System Suite. It's very powerful, and runs on both my 98 and XP machines.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.