[ISN] Hackers Attack Through Popular Web Sites

[InfoSec News]

http://www.pcworld.com/news/article/0,aid,116689,00.asp

By James Niccola
Paul Roberts 
Martyn Williams
IDG News Service
June 25, 2004

Internet users visiting some of the most popular sites on the Web may
unwittingly be downloading malicious code that compromises their
computers and sets up a relay network for a future onslaught of spam,
a security services company warns.

NetSec, which provides managed security services for large businesses
and government agencies, began detecting suspicious traffic on several
of its customers' networks on Thursday morning, says Chief Technology
Officer Brent Houlahan.

Examining firewall logs and other data points on those networks,
NetSec found that when users visit certain popular Web
sites--including an online auction, a search engine, and a comparison
shopping site--they unwittingly download a piece of malicious
JavaScript code attached to an image or graphics file on the site.

Without the user's knowledge, the code connects their PC to one of two
IP addresses in North America and Russia. From those systems they
unknowingly download a piece of malicious code that appears to install
a keystroke reader and probably some other malicious code on the
computer, Houlahan says.

The code may be gathering the addresses of Web sites visited by
affected users and the passwords used to access them. In addition, the
IP address in Russia is a known source of spam, and the code may be
creating a network of infected machines that could be used to relay
spam across the Internet at some later date, he says.


Under Investigation

He stressed that NetSec is still examining the code and has yet to
determine the exact payload or the intent of the attack. The SANS
Institute's Storm Center is also studying the outbreak and has found
that the code surreptitiously downloads and installs a Trojan horse
program named msits.exe, according to Johannes Ullrich, chief
technology officer at The SANS Institute's Internet Storm Center.

Ullrich did not specify what functions are performed by the msits.exe
Trojan.

NetSec declines to name the affected Web sites for liability reasons
but says they are "big, big sites." It is probably the Web hosting
facilities that cache content for those sites that are infected,
rather than the "origin servers" at the Internet service providers
themselves, Houlahan says.

"The tricks used in this particular attack method are nothing new.  
What's significant about this is the fact that it impacts major Web
hosting facilities," says Dan Frasnelli, who manages NetSec's
technical assistance center.

The attack affects only users running Microsoft's Windows operating
system and Internet Explorer browser, he says. It was unclear Thursday
how the attack originated, but it may exploit a known vulnerability in
Microsoft's IIS (Internet Information Services) Web Server software at
the Web hosting facilities, Frasnelli says.

The U.S. Computer Emergency Response Team (CERT) called on system
administrators running IIS version 5 to verify to ensure there is no
unusual JavaScript appended to the bottom of pages served by their
system.

Widespread Problem?

It was also unclear Thursday afternoon how many systems had been
compromised and how widespread the problem was. NetSec says it had
protected its own customers by writing custom intrusion detection
signatures and blocking its customers' PCs from visiting the IP
addresses involved in the attack.

"There's a potential for widespread impact because currently the
[antivirus] vendors don't have a signature for it," Frasnelli says.

CERT says the attack is another example of why users must exercise
caution when JavaScript is enabled on their systems and recommended it
be disabled unless it is absolutely necessary. The group warned even
Web servers trusted by the user may be affected by this attack and
contain malicious code.