News

Web attack aims to steal surfers’ financial details -ISPs hosting major online auction and banking sites may have been compromised – Update Possible source server shut down

A new Internet attack discovered late yesterday was designed by an infamous group of Russian virus writers to steal credit card and other financial information from Web surfers and send it to Web sites where it can be retrieved by the hackers, security experts warned today.

News Story by Scarlet Pruitt

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,94114,00.html?nas=AM-94114

Mikko Hypponen, director of antivirus research at Helsinki antivirus company F-Secure Corp., said his team had stayed up all night examining details of the new threat and have connected it with a known Russian virus-writing group called Korgo.

According to Hypponen, the group has hacked into Web servers of some major Internet service providers that host "huge" Web sites, such as an online auction site and banking sites, to append malicious code to their pages. This code, which security researchers are calling "Scob," connects a user’s PC to Web addresses run by the hackers from which they can silently download and install a Trojan horse. The code then uses a keystroke logger to collect Web surfers’ passwords, log-ins, PayPal payment data and other sensitive information, Hypponen said. The information is then sent to Web sites where the hackers can retrieve them.

"It just boggles the mind when you see the amount of information available on these sites — credit card numbers, banking information — and it’s available to anyone who knows the Web sites," Hypponen said.

He added, however, that the Web addresses where the information is being stored aren’t obvious and that potential hackers would have to reverse-engineer the code to find them.

Law authorities, who were already investigating the Korgo group, have an open investigation into the case and are working on shutting down the sites, Hypponen said.

Graham Cluley, senior technology consultant at security firm Sophos PLC, said his team has also connected the threat to the Korgo group. However, he said the team hasn’t been able to get through to the Web addresses that download the Trojan horse.

"So far, it doesn’t cause much harm, but the hackers could choose to redirect users to other addresses that work," he said.

Cluley also warned that the hackers could choose to change the Trojan horse, enabling it to launch a spam or denial-of-service attack. "The world is really their oyster," he said.

Security experts have said that the attack affects only users of certain versions of Microsoft Corp.’s Internet Explorer browser.

Additionally, Cluley said it appears that the threat affects only Web servers running Microsoft Internet Information Services 5 Web Server software and not Microsoft IIS 6, which comes with Windows 2003 Server.

In the meantime, various antivirus firms are working to update their products to protect against the threat. As of early this morning, F-Secure had updated its offering to protect users, Hypponen said. He expected other companies to follow shortly.

Additionally, Cluley said there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm. "Our advice is that everyone download the Sasser patch, " Cluley said. "And really, sites that haven’t done so yet, that have slept through the whole Sasser hoopla, really cannot say that they take their network security seriously."

Because most sites should have patched against Sasser, and Sophos has been unable to connect to the addresses hosting the Trojan horse code, Cluley believes that the attack isn’t a huge threat so far. However, he warned that this could change.

The threat was initially detected late yesterday, with managed security services firm NetSec Inc. and the SANS Institute’s Storm Center warning against the vulnerability.

So far, all of the security researchers have remained tight-lipped about which major Web sites are being affected by the attack. It is also unclear how many users and sites have been affected so far.

Reprinted with permission from

For more news from IDG visit IDG.net
Story copyright 2004 International Data Group. All rights reserved.

***************

Russian server blamed for latest Web virus
Source of infection, which may have been aimed at stealing financial data, shut down

Robert Lemos, Cnet News.com
Saturday, June 26, 2004
San Francisco Chronicle

http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/06/26/BUGND7CI841.DTL&type=business

Web surfers are no longer playing Russian roulette each time they visit a Web site, security researchers said Friday after a far-reaching Internet attack had been disarmed.

The attack, which turned some corporate Web sites into points of digital infection, was halted Friday when Internet engineers managed to shut down a Russian server that had been the source of malicious code. Compromised Web sites are still trying to infect Web surfers’ PCs by redirecting them to the server in Russia, but that computer can no longer be reached.

Security experts said the Russian server downloaded Trojan horse software onto a user’s computer that could be used by a remote attacker to record keystrokes and steal valuable information such as passwords, credit card numbers and bank account information for remote delivery to hackers.

Cutting the link to the Russian server "stops the problem for the short term," said Alfred Huger, senior director of engineering for Symantec Corp., a security software company in Cupertino.

"However, it just takes a new culprit to come along and do the same thing, " Huger said. The Internet underground is increasingly using this type of attack as a way to get by network defenses and infect office workers’ and home users’ computers.

"It is a tremendously powerful way to get into a corporation," Huger said. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company’s perimeter, which they may have spent hundreds of thousands of dollars to secure."

The latest Internet attack, discovered by Microsoft Corp. on Thursday, appears to take advantage of three separate flaws in Microsoft products.

Stephen Toulouse, a security program manager at Microsoft, said software updates to fix two of them were released in April, but the third flaw was just discovered, so Microsoft has no patch available yet.

Toulouse recommended that computer owners get the latest security updates for Microsoft products and their antivirus and firewall programs. For the flaw that lacks a patch, he said, users should turn security settings on Microsoft’s Internet Explorer browsers to the highest levels.

Users can also turn off the JavaScript feature on their Microsoft browsers, but doing so might cripple functions on some sites.

The virus does not affect Macintosh versions of Internet Explorer, nor does it spread through non-Microsoft browsers such as Mozilla and Opera.

Users can search their computers for the files Kk32.dll or Surf.dat to see if they are infected. Removal tools are available from major antivirus vendors.

Experts said the infection was unusually broad but wasn’t substantially interfering with Internet traffic. The virus does not attempt to spread itself, thus helping to limit its effect.

Still, the network of compromised Web sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, a Net threat-monitoring site. "This is the first time that this many Web sites got hit," he said.

The U.S. Computer Emergency Readiness Team warned that any Web site, even those trusted by users, might have been used to spread the virus.

The Associated Press contributed to this report.

Sorry, we couldn't find any posts. Please try a different search.

Leave a Comment

You must be logged in to post a comment.