A hacker compromised the corporate website of France
Télécom's internet service provider (ISP) subsidiary Wanadoo,
causing the site to try to install a malicious software program on
computers of visitors.
The site, www.wanadoo.com, had been altered to use two common
software exploits that redirect a visitor's web browser from that
address to websites that attempted to download a Trojan horse
program onto their computers.
The attacks are just the latest example of malicious hackers
compromising prominent web pages and using them to distribute
malicious code to unsuspecting users.
"Someone succeeded in breaking into the site and altering a
page," said Wanadoo spokeswoman Caroline Ponsi.
The attack happened on Monday night (23 August) and occurred
despite the fact that "all our software is up to date", she
said.
"We're in the process of checking everything before starting it
up again. We have an idea how he got in," she added.
Wanadoo has identified the network from which the attack
originated, and has made a complaint to the ISP concerned, she
said.
The Wanadoo site was taken down and users were redirected to a
notice that a technical problem had occurred.
During the attack, Wanadoo.com distributed copies of two common
exploits, one called "Exploit-ByteVerify" and the other called
MHTML URL.
At least one of the files, the MHTML URL, was also used in the
June attacks that used compromised Internet Information Services
(IIS) web servers to distribute malicious code, said Craig
Schmugar, virus research manager at McAfee's Antivirus Emergency
Response Team Labs.
If the attack successfully exploited the software holes, users
unknowingly accessed a website that copied a Trojan horse program
called loaderfox onto their computers.
Microsoft issued software patches for the holes compromised by
both exploit programs, Schmugar said. McAfee's anti-virus software
spotted the files pushed out by wanadoo.com.
The Wanadoo site, which usually provides background information
on the company's strategy and structure, was still not operating
Thursday, although the redirection was changed to point toward the
site for Wanadoo's French subscribers.
The Wanadoo hack is just the latest in a string of such
incidents in recent months.
In June, a Russian hacking group known as the "hangUP team",
used a recently patched buffer overflow vulnerability in
Microsoft's implementation of SSL (Secure Sockets Layer) to
compromise vulnerable Windows 2000 systems running IIS Version 5
Web servers.
The June attacks also used two vulnerabilities in Windows and
the Internet Explorer web browser to silently run a malicious
computer code named "Scob" or "Download.ject." from the IIS servers
on machines that visited the compromised sites, redirecting the
customers to websites controlled by the hackers and downloading a
Trojan horse program that captures keystrokes and personal
data.
Last week, researchers at PivX Solutions intercepted malicious
code that closely resembled Scob. The new attacks used
mass-distributed instant messages to lure internet users to
websites that distribute malicious code similar to Download.ject,
said Thor Larholm, senior security researcher at PivX.
Peter Sayer and Paul Roberts writes for IDG News
Service