RealTime IT News

Malware Hacker Attack Linked to Spammers

The SANS Internet Storm Center, which tracks malicious Internet activity, reported that a large number of popular Web sites were compromised earlier this week to distribute malicious code that targets a known bug in Microsoft Internet Explorer.

"The attacker uploaded a small file with JavaScript to infected Web sites, and altered the web server configuration to append the script to all files served by the web server," the center alert warned.

If a user visited an infected site, the JavaScript delivered by the site would instruct the user's browser to download an executable from a Russian Web site and install it, the alert added.

"These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system."

The center believes the attack is the work of a sophisticated international spam ring.

"There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing 'spamware' to create proxies to relay and send spam. We don't see any evidence that this attack is related to the construction of a DDoS network."

Early Friday morning, Microsoft issued a "critical" notice for the Download.Ject malware. The software giant said it was investigating reports of the malware targeting customers using Microsoft Internet Information Services 5.0 (IIS) and the IE browser.

There is conflicting information on whether a patch is available to protect against the hacker attack. Microsoft's alert said Web servers running Windows 2000 Server and IIS that have not applied a patch issued in its MS04-011 advisory "are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code."

However, The center said several server administrators reported that they were fully patched.

"We do not know at this point how the affected servers have been compromised," the center's alert said. "The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your Web site back into business by changing the footer setting and removing the JavaScript file. But this is likely a very sophisticated attack and you should expect other stealthy backdoors."

Once the hackers break into the Web site, files have been modified, and a Trojan downloader called "Scob" or "Download.Ject" is appended to the files causing IE to execute it. "No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit."

The center said log files from a compromised server will show no alteration to existing files on the server. "The JavaScript is included as a global footer and appended by the server as they are delivered to the browser. You will find that the global footer is set to a new file," the center said in a note to server administrators.

Advisories and disinfection instructions are available from Symantec, F-Secure and Computer Associates.

Microsoft first reported the exploited IE vulnerability as extremely critical on June 10, but the company has yet to issue a security fix.

"Microsoft is actively investigating these reports to determine the appropriate course of action to protect our customers. This might include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs," Microsoft said in a statement.

Since then, malicious hackers have unleashed "zero day exploits" to load adware or spyware programs and browser toolbars on vulnerable machines.