Staff Writer, CNET News.com
Netizens are no longer playing Russian Roulette each time they visit a Web site, security researchers say, now that a far-reaching Internet attack has been defanged.
The attack, which had turned some Web sites into points of digital infection was nipped in the bud on Friday, when Internet engineers managed to shut down a Russian server that had been the source of malicious code for the attack. Compromised Web sites are still attempting to infect Web surfers' PCs by referring them to the server in Russia, but that computer can no longer be reached.
Still, Web surfers should still take care, as this type of attack is increasingly being used by the Internet underground as a way to get by network defenses and infect officer workers' and home users' computers.
"This stops the problem for the short term," said Alfred Huger, senior director of engineering for security company Symantec. "However, it just takes a new culprit to come along and do the same thing all over again."
The attack worked by infecting some Web sites so that when Net surfers visited those sites, they were redirected to the Russian server, which downloaded software onto surfers' PCs. That software could be used by a remote attacker to control those computers. It's unclear what the attackers' motivation may have been, though some have speculated the software could be used to send spam.
"It is a tremendously powerful way to get into a corporation," he said. "It is significantly easier to lure a number of employees to a compromised Web site than to get through a company's perimeter, which they may have spent hundreds of thousands of dollars to secure."
More on the Russian Trojan
Infected Web site attack prevention
Researchers warn of infected Web sites
The tactic is not new. Earlier this month, an independent security researcher found an aggressive piece of advertising software, known as adware, that had installed itself onto victims' computers. A large financial client called in Symantec in late April after an employee used Internet Explorer to browse an infected Web site and his system became infected. Last fall, a similar attack may have been facilitated through a mass intrusion at Interland, said sources familiar with that case.
The Internet Explorer flaws that allowed the Russian attack, however, affect every user of the Web browser, because Microsoft has not yet released a patch. Microsoft advised users to set their browsers' security to the highest settings, even though doing so could break some Web functionality. The company also promised a patch for the flaws soon.
"We are not seeing that this threat is widespread, but we believe the threat to be real," said Stephen Toulouse, security program manager for Microsoft's security response center.
Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server, or IIS. After that code redirected them to one of two sites, most often to the server in Russiam, that server used the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, also simply called a RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security, in that way allowing the attacker to access the computer.
It's unknown how many Web sites were compromised by attackers and whether any high-traffic sites were affected. But it's believed that the number of infected Web sites is relatively small given the total number of site on the Web.
Still, the network of compromised Web sites used in the attack is far larger than any before, said Johannes Ullrich, chief technology officer of the Internet Storm Center, an Net threat monitoring site.
"This is the first time that this many Web sites got hit," he said. "The only other widespread use of this attack was Nimda, and that didn't work very well because the exploit wasn't as effective."
Most antivirus companies issued updates overnight to allow their programs to detect the program when it is uploaded from the Internet to a victim's PC, so computer users should update their virus definitions as soon as possible, Ullrich said.