Posted on 06/30/2004 7:53:51 PM PDT by NotQuiteCricket
The Web attack that was stopped dead in its tracks on Friday when a Russian Web site was taken offline remained under investigation Monday by a host of security firms still puzzled over the method used to infect a number of Microsoft Internet Information Services (IIS) servers.
But the evidence now is leading them to accept Microsoft's explanation that the IIS 5.0 servers were hacked manually and that the server software doesn't have an unknown, or so-called "zero-day," vulnerability.
"Nobody yet knows how these servers were infected," said Ken Dunham, the director of malicious code research at iDefense. "But if it was a widespread vulnerability, how come there weren't more servers infected? If that was the case, we should have heard reports by now about lots of other computers [being infected with the malicious JavaScript code]."
On Saturday, Microsoft released a statement claiming that the attack -- which infected an unknown number of IIS servers which in turn delivered malicious code to any Internet Explorer user who surfed sites hosted by those servers -- "is not a worm or virus, in other words, this attack is a targeted manual attack by individuals or entities towards a specific server."
Symantec's research, said Oliver Friedrichs, a senior manager with the company's virus response team, also leans toward manual hacks. "That's what it looks like. It's certainly not a worm or an automated exploit."
Microsoft said that all the compromised servers were running IIS 5.0 unpatched against a vulnerability disclosed in April. Some security firms last week theorized that even patched IIS systems were vulnerable, but that now seems to have been a false alarm.
One security analyst who requested anonymity said that it was more likely that those reports originated with IT administrators trying to do damage control. "Perhaps they applied the patch but it didn't take, thought they had the patch in place but didn't, or they didn't apply the patch at all but now say they did. It's easier to say 'there are some clever hackers out there' than to admit you got caught with your pants down."
An accounting of infected servers was provided Monday by Cyveillance, a vendor of online risk and management tools. As of Sunday, Cyveillance detected 641 sites that were infected by the malicious code.
The Arlington, Va.-based company used its June audit of over 50 million domains to pinpoint the 6.2 million sites known to run IIS 5.0, then collected and analyzed pages from those sites to test for infection. If Cyveillance's numbers are on the money, that means fewer than one hundredth of one percent of the IIS 5.0 servers in use remained compromised Sunday.
The picture is clearer on the client side, where Internet Explorer 5.0 and 6.0 remain vulnerable to future iterations of this kind of malicious code delivery system. Last week's attack exploited two vulnerabilities in IE, one known and patched, the other known but not yet fixed.
"This is huge," argued Dunham, whose company has traced the attack to a well-known group of hackers dubbed HangUP based in Russia. "[HangUP] has a new trick in their bag to attack IE users at will."
The group has accumulated hundreds of megabytes of stolen financial information, said Dunham, and sells it on the black market. Last week's attack was ultimately meant to deliver key loggers and Trojan horses to compromised end users' machines to steal account information and credit card numbers.
Nor is the group going to stop. "Even if they sell a credit card number for just $1 to $3 a pop -- and they have hundreds of megabytes of data -- you do the math," said Dunham. "A million dollars in Russia is a lot of money. And they're able to recruit new members because they have an illicit business model that works."
In other words, expect more such attacks. "The potential for future attacks is real," said Friedrichs. "We could see them in a couple of days or a couple of weeks."
Until the unpatched vulnerability is fixed by Microsoft, users can rely on a combination of safe surfing practices and some technical work-arounds to make sure they're secure.
Large, trusted commercial sites, said Symantec's Friedrichs, can be assumed to be patched against the IIS vulnerability, but smaller sites may not. "Use common sense when you surf," he advised.
Other experts recommend that users execute the "kill bit" setting for IE within the Windows registry to disable ActiveX.
* Create a registry key called: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}* Then, create a dword value named "Compatibility Flags" and give it a value of 400.
Microsoft recommends that users set IE's security to "High," but that setting will interfere with normal surfing. (For details on setting IE's security, check out "Step 1" in this page from Microsoft's site.)
Another option is to download and install the still-not-final release candidate of Windows XP Service Pack 2. SP2 is not susceptible to this type of attack, said Microsoft.
Also - if you are worried that you have gotten the trojan (which may or may not be detected by zonealarm, since it acts as a bho) you may go to: http://www.definitivesolutions.com/bhodemon.htm and download bhodeamon, which will show the Browser Helper Objects installed.
And for everyone's information, the IE exploit has remained unpatched for 10 months.
Go Mo!
I may even take a stab at installing some flavor of an open source os on my laptop (which is old an creaky anyway currently not used but on 98SE). This hack/exploit could be a "good thing" for opensource all together, if enough people get paranoid & pissed like I am.
Probably correct. The fault goes mostly to the hackers, and secondly any admins who didn't patch their systems with available upgrades.
Just might be what those Russians were wanting you to do.
Watch the attacks for posting this 3, 2, 1, NOW.
What, no attacks? Maybe I'm actually starting to get through. (waits for more attacks)
I tried Mozilla Firefox. Didn't work for me; I can't think in Russian.
Manually hacked, eh?
Cui bono?
Most likely an insider at the outfit that owned or operated the web server.
I'm fine with everyone reading this and reaching their own conclusions - ergo BTT.
In your face, losers...
O
K
We might even have the perfect profile of the perps right here, LOL.
Happy 4th of July. Perfect time to debate this stuff, but I'll be doing other things. OUT.
It depends on what the 641 sites are. One report was about a major ecommerce site.
I think it's best to see how this turns out. And in the meantime, it's prudent to not use the vulnerable browser, particularly for ecommerce, if possible.
Avoiding unnecessary risk lowers stress.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.