Ankündigung

Einklappen
Keine Ankündigung bisher.

Hijacked Web Sites Spread Trojans to IE Visitors

Einklappen
X
 
  • Filter
  • Zeit
  • Anzeigen
Alles löschen
neue Beiträge

  • Hijacked Web Sites Spread Trojans to IE Visitors

    Severity: High
    25 June, 2004

    Summary:
    Yesterday, NetSec Inc warned of a large-scale attack they detected spreading from numerous Web sites (including popular destinations such as search engines, online price-comparison sites, auction sites, and financial institution sites) to unsuspecting Internet Explorer (IE) users. Apparently, hackers have hijacked some IIS Web servers and injected the sites' Web pages with malicious JavaScript code. The hijacked Web sites exploit an unpatched IE vulnerability, spreading a malicious Trojan to any IE user visiting the sites. The malicious Trojan can install a keystroke logger, set up a malicious proxy server, or install a back door, giving the attacker total control of the victim's machine. See the Solution section below to learn how to protect your users and your IIS server from this malware.

    Exposure:
    Late yesterday, NetSec Inc. warned that they were seeing some sort of malware spreading from IIS Web servers of certain public sites. Today, a few more details about this attack emerged. Hackers have apparently somehow corrupted many Web sites, including some very popular ones, and injected malicious JavaScript code into the document footer of all the hijacked Web sites' pages.

    If any IE user visits one of these infected Web sites, he triggers the malicious JavaScript code, which exploits an unpatched IE vulnerability (similar to the one described here). This causes the unsuspecting IE user to automatically download and install one of many malicious Trojans from a Russian site. Which specific Trojan the victim receives differs from case to case. Some of the Trojans install keystroke loggers, others install proxy servers, and some even backdoor your computer, allowing the attacker full access. AV vendors have named some of these Trojans Scob, Backdoor-AXJ and VBS/Psyme.

    As this issue develops, many details remain unknown, and as a result, much of the reporting is contradictory. The problem is complicated by the fact that it concerns two vulnerabilities: one in IIS, and one in IE. For now, experts still don't know exactly how the hackers gained control over the hijacked IIS servers. We still don't know whether the attackers manually hijacked each infected IIS server or if the IIS infection is spreading automatically via some undiscovered worm or attack bot. The IE vulnerability has no patch available, and according to some sources, Microsoft is not close to offering one. That means all IE users are at risk for the foreseeable future.

    Although this attack vector seems new, hackers used a similar attack method against a large Web hosting company called Interland in 2003.

    Solution Path:
    For IIS Administrators:

    Though no one really knows how the hijacked IIS servers first became infected by this malware, most experts suspect that the IIS servers were attacked using vulnerabilities corrected by Microsoft's MS04-011 security patch, described in our April 13 Vulnerability Alert. If you haven't already applied this patch, you should do so immediately. Administrators who applied this patch without rebooting report that they still remained vulnerable to attack, so make sure to reboot your server after applying the patch.

    Is your own IIS server infected? SANS's write-up on this attack lists symptoms to look for. You should verify that your server doesn't show any of these symptoms.

    For Internet Explorer Users:

    The infected Web servers use an unpatched IE exploit to deliver the malicious Trojan. All IE users are vulnerable to this attack except the few using the Windows XP SP2 Release Candidate 2.

    However, you can adjust some of IE's security settings to prevent this attack from succeeding. (Before you try any of the steps in this paragraph, read it completely, since this workaround may also hamper your experience at uninfected Web sites.) This attack uses JavaScript, so have all your IE users disable JavaScript in IE. To do so, click Tools => Internet Options => Security tab. Highlight the "Internet" Zone and then click Custom Level. Scroll down to Scripting and disable both "Active Scripting" and "Scripting of Java Applets." Keep in mind, some legitimate sites use Java scripting and Active Scripting in order to work properly. For instance, an Outlook Web Access server uses Active Scripting to display mail to your users via a browser. If you encounter a legitimate site that you must allow your users to access, we recommend you add that site to the "Trusted Site" list in IE (also under Tools => Internet Options => Security tab). You can learn more about adjusting IE's security settings here.

    Many AV vendors have added signatures which detect this malicious HTML attack and the Trojans it delivers. We recommend you update your AV signatures to make sure you can detect and prevent these attacks.

    IE users should also make sure they are up-to-date with all IE patches. Visiting Windows Update is the easiest way to see if an individual PC is up to date.
    beste Grüsse
    Trainer

    "Es regnete nicht, als Noah die Arche baute!"
Lädt...
X