Latest attack hits web users through top sites

News

Latest attack hits web users through top sites

Internet users visiting some of the most popular sites on the web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warned.

NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on yesterday morning, said chief technology officer Brent Houlahan.

Examining firewall logs and other data points on those networks, NetSec found that when users visit certain popular websites - including an online auction, a search engine and a comparison shopping site - they unwittingly download a piece of malicious JavaScript code attached to an image or graphics file on the site.

Without the user's knowledge, the code connects their PC to one of two IP (Internet Protocol) addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan said.

The code may be gathering the addresses of websites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the internet at some later date, he said.

He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack.

The SANS Institute's Storm Centre is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Centre.

Ullrich did not specify what functions are performed by the msits.exe trojan.

NetSec declined to name the affected websites for liability reasons but said they are "big, big sites".

It is probably the web hosting facilities which cache content for those sites that are infected, rather than the "origin servers" at the internet service providers themselves, Houlahan said.

"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major web hosting facilities," said Dan Frasnelli, manager of NetSec's technical assistance centre.

The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he said.

It was unclear how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) web server software at the web hosting facilities, Frasnelli said.

The US Computer Emergency Response Team (Cert) called on system administrators running IIS version 5 to verify to ensure there is no unusual JavaScript appended to the bottom of pages served by their system.

It was also unclear how many systems had been compromised and how widespread was the problem. NetSec said it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack.

"There's a potential for widespread impact because currently the [anti-virus] suppliers don't have a signature for it," Frasnelli said.

Cert said the attack was another example of why users must exercise caution when JavaScript is enabled on their systems and recommended it be disabled unless it is absolutely necessary. The group warned even web servers trusted by the user may be affected by this attack and contain malicious code.

James Niccolai, Paul Roberts and Martyn Williams write for IDG News Service


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy