Microsoft warns: Check your patches now

Microsoft has acknowledged that Internet Information Server (IIS), a component of the Windows 2000 Server, and holes in the...

Microsoft has acknowledged that Internet Information Server (IIS), a component of the Windows 2000 Server, and holes in the Internet Explorer web browser are being used in widespread attacks that are compromising web pages and using them as launching pads for malicious computer code.

The company has urged customers to apply the latest security patches for both IIS and the Internet Explorer web browser and increase the security settings on the browser.

In an unusual move, Microsoft noted that users that are running its unreleased Windows XP Service Pack 2 operating system are protected. (

The warnings from the company came as anti-virus and computer security experts said that an organised gang of Russian hackers were behind the attacks and were using the security holes in a coordinated, global attack to steal sensitive personal and financial information from customers of leading banking and e-commerce websites.

Rumours of the attacks surfaced after network administrators spotted malicious files on Windows 2000 machines running IIS version 5. Computer security experts have isolated files involved in the attack and how the malicious files are being spread from websites to customer machines, according to a message posted on The SANS Institute's Internet Storm Centre.

The infected files have names such as Download_Ject_Symantec.doc, ipaddress.txt, issue.csv, ads.vbs and agent.exe. They are placed in a Windows folder named "inetsrv". In addition, the configuration of IIS is changed, so that an option called "enable document footer," is turned on.

Network administrators should apply a recent patch for IIS, MS04-011, said Microsoft. Systems that did not have this patch may be vulnerable to the attacks.

A previously unknown and unpatched security vulnerability in IIS may also be to blame for the infections, said Ken Dunham, director of malicious code at iDefense.

The IIS vulnerability allows the attackers to place malicious files on the Windows 2000 machines and change a configuration setting called the "enable document footer" feature, which is used to append files, such as copyright statements or disclaimers, to the bottom of web pages served by IIS. In the case of the latest attack, the malicious JavaScript files are appended as "footers" to every file on the website, Dunham said.

When web surfers visit the site, the malicious JavaScript code is sent to the user's client machine, along with other website files, and run. For people visiting those sites, a combination of holes in Internet Explorer, one that has been patched by Microsoft and one that has not, is allowing malicious programs to be surreptitiously placed on customers' machines, Dunham said.

The code redirects the user's web browser to a Russian website from which a Trojan horse program is unknowingly downloaded and installed on the user's system, according to Johannes Ullrich, chief technology officer at the Internet Storm Centre.

The program contains a key-capture feature that can be used to steal password and credit card information from web sessions, and forward those to the criminals behind the scam, experts said.

NetSec, which provides managed security services for large businesses and government agencies, and the Internet Storm Centre declined to name companies affected by the exploit, but both said that the problem is widespread.

NetSec said that an online auction website, search engine site and a comparison shopping site all were known to have infected visitors' computers with the malicious code.

The exploits appear to be the work of an organised group of Russian hackers and are designed to harvest personal information that can be used for financial fraud, security experts said.

Mikko Hyppönen, director of anti-virus research at Helsinki anti-virus company F-Secure said his team has connected the malicious code, which it called "Scob", with a known Russian virus writing group called Korgo.

IDefense linked the malicious attacks to a group by a different name called the hangUP team, also from Russia and also believed to be responsible for the recent string of Korgo worms, Dunham said.

"These are hackers for hire and they commoditise every piece of information they capture. This was a very complicated and sophisticated attack," he said.

Security experts were still trying to determine how IIS servers were compromised and whether applying the latest patches for IIS and Internet Explorer would protect users from the attacks.

Paul Roberts writes for IDG News Service

Read more on IT risk management