Computer and Internet security experts were closely watching the development of a mysterious outbreak that appears to have used a new tactic against an old vulnerability to infect thousands, possibly millions, of Web servers, Internet sites and Microsoft’s Internet Explorer browser users.
The widespread attacks began as early as June 20th, but security officials are still piecing together how Microsoft’s Internet Information Services (IIS) servers — widely used to host popular Internet sites — became infected, passing the virus-like code onto other Web sites and Internet Explorer browsers.
Although it is unclear precisely how the malicious code is infecting IIS servers or browsers, it is believed to be a so-called zero-day threat — a virus or worm that is not prevented by most antivirus defense — and might be similar to the Nimda worm, which infected users through Internet Explorer as well as through e-mail.
Seeds of Infection
Ken Dunham, iDefense director of malicious code intelligence, told TechNewsWorld that the attack code — which was posted to an underground Web site earlier this month — had likely hit hundreds of thousands, if not millions, of users. He called it a “very complicated attack.”
“Fully patched Explorer users are attacked at will, silently,” Dunham said, adding that the effort appears to originate from a Russian group of “hackers for hire” who have a history of developing Trojans or malicious code that can steal credit card data and similar information that would later be sold for profit.
“Hundreds of thousands of computers could feasibly be infected in just a few hours using compromised IIS servers as the launching pad for this attack,” Dunham said.
IIS Servers Fully Patched
The center reported that several administrators said their IIS servers were fully patched and that security experts are investigating the method used to compromise the servers.
“The Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system,” the advisory said.
SANS experts indicated they were unsure how the affected servers had been compromised, but a security hole known as the SSL-PCT vulnerability has been indentified as a likely cause. Dunham called the infection of fully patched computers with new malicious code “troubling,” and said that the way IIS servers have been attacked remains unclear.
However, Dunham said the use of new exploits and zero-day attacks, particularly involving systems that already have been patched for a similar threat, might now become a trend.
The Internet Storm Center advised those with compromised servers to undertake a complete rebuild.
Dunham advised audit patches and assurance that computers are fully patched, adding that Internet Explorer users should consider an alternative browser, at least temporarily. Dunham also said a firewall is a necessary defense measure to prevent further spread or hijacking of a machine.
Gartner research vice president Richard Stiennon told TechNewsWorld that Internet Explorer’s integration with the Windows operating system — the cause of the company’s fight with competitors and the government — is turning out to be a liability for Microsoft.
“Obviously, there are still vulnerabilities in Explorer that allow these kinds of things to happen,” Stiennon said. “Explorer has way too many hooks and it’s way too closely tied to the operating system.”