Friday 25 June 2004
Latest attack hits web users through top sites
Internet users visiting some of the most popular sites on the web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warned.
NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on yesterday morning, said chief technology officer Brent Houlahan.
Examining firewall logs and other data points on those networks, NetSec found that when users visit certain popular websites - including an online auction, a search engine and a comparison shopping site - they unwittingly download a piece of malicious JavaScript code attached to an image or graphics file on the site.
Without the user's knowledge, the code connects their PC to one of two IP (Internet Protocol) addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan said.
The code may be gathering the addresses of websites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the internet at some later date, he said.
He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack.
The SANS Institute's Storm Centre is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Centre.
Ullrich did not specify what functions are performed by the msits.exe trojan.
NetSec declined to name the affected websites for liability reasons but said they are "big, big sites".
It is probably the web hosting facilities which cache content for those sites that are infected, rather than the "origin servers" at the internet service providers themselves, Houlahan said.
"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major web hosting facilities," said Dan Frasnelli, manager of NetSec's technical assistance centre.
The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he said.
It was unclear how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) web server software at the web hosting facilities, Frasnelli said.
The US Computer Emergency Response Team (Cert) called on system administrators running IIS version 5 to verify to ensure there is no unusual JavaScript appended to the bottom of pages served by their system.
It was also unclear how many systems had been compromised and how widespread was the problem. NetSec said it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack.
"There's a potential for widespread impact because currently the [anti-virus] suppliers don't have a signature for it," Frasnelli said.
Cert said the attack was another example of why users must exercise caution when JavaScript is enabled on their systems and recommended it be disabled unless it is absolutely necessary. The group warned even web servers trusted by the user may be affected by this attack and contain malicious code.
When the trojan is active, one of its threads is constantly looking for the following text strings in Microsoft Internet Explorer windows:
Johannesburg - Police have warned South Africans who have given credit card details to eBay to cancel their cards immediately. Inspector Rian Visser of the SA police's commercial crimes unit claims that members of the Nigerian 419 syndicate have hacked into the database of eBay, the world's largest internet auction house.Visser, who specialises in 419 investigations, says attempts to have this verified have failed. "The strangest thing is that I am not getting any reaction about the hacking from eBay, despite repeated attempts. "Agents of the American Secret Security Service (SSS) visited eBay, but they also complained that they could not get any information from them," Visser said. eBay has since denied the reports.
Visser, who said local police and the SSS had joined forces in a massive investigation, added that according to reports, the syndicate also hacked into the database of an American internet service provider, E-tronics.
Visser said indications are that highly confidential details of about 400 000 people are involved in the two investigations.
Thousands of South Africans conduct business on eBay.
Visser said it is thought the people behind the 419 scam gained access to the credit card numbers - including the three numbers at the back of the credit card - addresses and identity numbers of thousands of eBay clients and have started to distribute this to other syndicate members.
Visser warned South Africans whose personal details could be in eBay's database to stop their credit cards at their banks immediately.
The Nigerian 419 fraud syndicates have spread their tentacles all over the world and thousands of criminals form part of it.
The first scam was committed by Nigerians, hence the name Nigerian 419. The figure 419 is the article in the Nigerian penal code that makes such actions punishable by law.
Visser said thousands of gullible people all over the world have become victims of 419 schemes and have lost millions of rands.
There are are reports that a database with the personal information of thousands of ebay members has been turned up in Nigeria:
http://www.419legal.org/alerts/ebay_database_alert.htm
The recommend to close all creditcard accounts. Anyone heard something about it?
Here's the deal. In late June, the gang that tracks global internet disruption (the storm center at SANS http://isc.sans.org/), became aware of a new form of internet attack that was infecting websites whose servers run on a specific microsoft program, IIS 5.0. It behaved unlike any previous bug they'd ever seen, and it took them several days to figure out how it worked because it infected sites in a way that was very difficult to detect.
It used a security hole in the software to get into the servers, uploaded a small javascript file, and modified the server configuration to instruct it to download the file to anyone visiting the site using an IE browser. It did this without changing any of the existing files on the server.
That javascript file contained some very nasty code. Any IE users who visited an infected site immediately got the file downloaded to their computer. The file then opened and instructed the user's browser to go to a website in Russia, download an .exe file, and install it. All of this happened while the user was happily browsing, totally unaware.
Users got one or more .exe programs installed on their systems, including keystroke loggers and other nasties that gave the attackers the ability to control a PC without the user's knowledge.
The keystroke logging program captured data in real-time as users were typing things like their login passwords or credit card numbers and immediately sent the data to a site in Russia. That's how scob mimics a phishing email - it's as if you clicked on a link yourself and voluntarily gave them the info. But you didn't. And the place you picked up that infection was your friendly, trusted website.
Here are two links for anyone still awake who wants to read more of the techno data.
This is a link to SANS. The "handler on duty" posts a diary each day of internet activity. This link is to June 25th, but info about the attack started days earlier and continued days later. http://isc.sans.org/diary.php?date=2004-06-25
THIS is a link to a security company called LURHQ, whose staff were involved in helping identify the virus. This is their analysis of the trojan. Note carefully the sites they identify as being infected: http://www.lurhq.com/berbew.html
And that is why I keep asking eBay, whose "servers were not hacked", to tell us whether they were infected with scob.