Internet users visiting some of the most popular sites on the web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warned.
NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on yesterday morning, said chief technology officer Brent Houlahan.
Without the user's knowledge, the code connects their PC to one of two IP (Internet Protocol) addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan said.
The code may be gathering the addresses of websites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the internet at some later date, he said.
He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack.
The SANS Institute's Storm Centre is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Centre.
Ullrich did not specify what functions are performed by the msits.exe trojan.
NetSec declined to name the affected websites for liability reasons but said they are "big, big sites".
It is probably the web hosting facilities which cache content for those sites that are infected, rather than the "origin servers" at the internet service providers themselves, Houlahan said.
"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major web hosting facilities," said Dan Frasnelli, manager of NetSec's technical assistance centre.
The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he said.
It was unclear how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) web server software at the web hosting facilities, Frasnelli said.
It was also unclear how many systems had been compromised and how widespread was the problem. NetSec said it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack.
"There's a potential for widespread impact because currently the [anti-virus] suppliers don't have a signature for it," Frasnelli said.
James Niccolai, Paul Roberts and Martyn Williams write for IDG News Service