Hackers target French ISP Wanadoo

A hacker compromised the corporate website of France Télécom's internet service provider (ISP) subsidiary Wanadoo, causing the...

A hacker compromised the corporate website of France Télécom's internet service provider (ISP) subsidiary Wanadoo, causing the site to try to install a malicious software program on computers of visitors.

The site, www.wanadoo.com, had been altered to use two common software exploits that redirect a visitor's web browser from that address to websites that attempted to download a Trojan horse program onto their computers.

The attacks are just the latest example of malicious hackers compromising prominent web pages and using them to distribute malicious code to unsuspecting users.

"Someone succeeded in breaking into the site and altering a page," said Wanadoo spokeswoman Caroline Ponsi.

The attack happened on Monday night (23 August) and occurred despite the fact that "all our software is up to date", she said.

"We're in the process of checking everything before starting it up again. We have an idea how he got in," she added.

Wanadoo has identified the network from which the attack originated, and has made a complaint to the ISP concerned, she said.

The Wanadoo site was taken down and users were redirected to a notice that a technical problem had occurred.

During the attack, Wanadoo.com distributed copies of two common exploits, one called "Exploit-ByteVerify" and the other called MHTML URL.

At least one of the files, the MHTML URL, was also used in the June attacks that used compromised Internet Information Services (IIS) web servers to distribute malicious code, said Craig Schmugar, virus research manager at McAfee's Antivirus Emergency Response Team Labs.

If the attack successfully exploited the software holes, users unknowingly accessed a website that copied a Trojan horse program called loaderfox onto their computers.

Microsoft issued software patches for the holes compromised by both exploit programs, Schmugar said. McAfee's anti-virus software spotted the files pushed out by wanadoo.com.

The Wanadoo site, which usually provides background information on the company's strategy and structure, was still not operating Thursday, although the redirection was changed to point toward the site for Wanadoo's French subscribers.

The Wanadoo hack is just the latest in a string of such incidents in recent months.

In June, a Russian hacking group known as the "hangUP team", used a recently patched buffer overflow vulnerability in Microsoft's implementation of SSL (Secure Sockets Layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers.

The June attacks also used two vulnerabilities in Windows and the Internet Explorer web browser to silently run a malicious computer code named "Scob" or "Download.ject." from the IIS servers on machines that visited the compromised sites, redirecting the customers to websites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

Last week, researchers at PivX Solutions intercepted malicious code that closely resembled Scob. The new attacks used mass-distributed instant messages to lure internet users to websites that distribute malicious code similar to Download.ject, said Thor Larholm, senior security researcher at PivX.

Peter Sayer and Paul Roberts writes for IDG News Service

Read more on IT risk management