By Robert Vamosi
(June 25, 2004)
Criminal hackers (a.k.a. crackers) have launched a different kind of attack on the Internet this week. By simply visiting certain, infected popular Web sites, home and business Internet surfers using Internet Explorer on a PC may indirectly download a remote-access Trojan horse (RAT) onto their desktop computers, which in turn, may record keystrokes necessary to log into secure sites and relay that information to remote sources. This attack does not, however, slow or otherwise interfere with Internet traffic, and it affects only Internet Explorer browsers. Other browsers, including Opera and Mozilla, are not affected. Systems running Linux, Mac OS, Unix, and other operating systems are also unaffected. Microsoft is urging Web sites running on Windows 2000 servers with IIS Version 5.0 to update with the MS04-011 security patch. However, home and business Internet surfers using Internet Explorer are left with few options. Given the widespread but not yet epidemic nature of this attack, we're assigning this threat a Medium designation.
How it works
There are two parts to this attack. Part one has already happened and affected Web site hosts. Earlier this week, crackers identified Windows 2000 servers with IIS Version 5.0 that have not applied the latest security patch from Microsoft, MS04-011. Some of these Web sites include popular search engines, shopping, and auction sites. The configurations of these servers were altered to include a small file that is in turn added to each file called upon by users.
More on the Russian Trojan
Web site virus attack brunted—for now
Researchers warn of infected Web sites
Microsoft has created a page to update users on this attack. Web site hosts running Windows Server 2000 with IIS Version 5.0 should install the security patch MS04-011, if they haven't done so. End users should install MS04-013, if they have not already done so, plus they should increase their security settings within Internet Explorer and update their antivirus settings to protect against known Trojan horses that may be installed because of this attack.