An unusual Web virus that was spread to user computers through infected Web site servers might be a Trojan capable of sending financial information back to the attacker. Microsoft said it helped law enforcement agencies identify and shut down the Russia-based site where the attacking code — known as “Scob,” “Download.Ject” or “Toofer” — was emerging.
However, the Internet Storm Center urged all Web users to remain cautious. “Even though the main issue is over, the same exploit is continuing to be used by Web sites out there for malicious purposes,” it said in a warning issued late Sunday.
Several security firms warned that the code that might have been left behind on infected computers could be recording and transmitting sensitive financial data.
Security firms suspect the Trojan was programmed to send information back to a Russia-based identity-theft ring that would then sell the pirated information on the black market. Some said a group known as HangUP, which helped propagate the Korgo family of worms, was likely behind the attack, which several researchers said exhibited a high level of sophistication.
Two Targets in One
The attack used flaws in the Windows 2000 server version of Microsoft Internet Information Services (IIS) to install malicious code on the computers of Web surfers who visited targeted sites using Windows versions of the Internet Explorer browser.
Rob Kodey, vice president of technology at Web monitoring firm Cyveillance, told the E-Commerce Times that more than 600 Web sites were still infected with the malicious code as of Monday. That number was higher than many estimates, “but it could easily have been a lot higher” because many sites use the Microsoft software.
Still, the threat to computers users has significantly diminished, Kodey said, because the Russian site had been taken down, eliminating the chance that code would be delivered to vulnerable browsers.
Kodey said sites with still-infected servers run the gamut from e-commerce sites to news and information sites, but none are among the most heavily visited sites on the Web. “There’s no names in there that everyone would instantly recognize,” he added.
Security firms said the attack was unique in that it used even legitimate, trusted Web sites to spread the malicious code. Similar attacks in the past have infected users lured to fraudulent sites.
More to Come
Scott Montgomery, director of product marketing for Secure Computing, described the methodology used in the attack is “scary” because it uses vulnerabilities in two pieces of technology — the server and the browser.
“It’s really quite a well-thought-out attack,” Montgomery told the E- Commerce Times. “The combination of two vulnerabilities being used in tandem leaves me a bit cold.”
Montgomery said similar attacks that follow the same “blueprint” are likely. “With two things as complex as server software and browsers involved, the chances of other exploits being found are pretty high,” he added.
Patching it Up
Speaking in Australia, Microsoft Chairman Bill Gates said the software company moved quickly to fix the flaws exploited by Scob, and that the company could deploy fixes even more rapidly if more computers used the auto-update feature of Windows XP.
“We will guarantee that the average time to fix will continue to come down,” Gates said. “The thing we have to do is not only get these patches done very quickly. We also have to convince people to turn on auto update.”
Security firm Symantec said the virus was relatively easy to remove, and pointed out that because it does not self-propagate once it infects a machine, it did not spread nearly as rapidly as other recent Web-based attacks.
Social Media
See all Social Media