Infected Web site attack prevention

A new method of attacking desktop computer involves malicious code embedded on popular Web site pages.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Vamosi

(June 25, 2004)

Criminal hackers (a.k.a. crackers) have launched a different kind of attack on the Internet this week. By simply visiting certain, infected popular Web sites, home and business Internet surfers using Internet Explorer on a PC may indirectly download a remote-access Trojan horse (RAT) onto their desktop computers, which in turn, may record keystrokes necessary to log into secure sites and relay that information to remote sources. This attack does not, however, slow or otherwise interfere with Internet traffic, and it affects only Internet Explorer browsers. Other browsers, including Opera and Mozilla, are not affected. Systems running Linux, Mac OS, Unix, and other operating systems are also unaffected. Microsoft is urging Web sites running on Windows 2000 servers with IIS Version 5.0 to update with the MS04-011 security patch. However, home and business Internet surfers using Internet Explorer are left with few options. Given the widespread but not yet epidemic nature of this attack, we're assigning this threat a Medium designation.

How it works
There are two parts to this attack. Part one has already happened and affected Web site hosts. Earlier this week, crackers identified Windows 2000 servers with IIS Version 5.0 that have not applied the latest security patch from Microsoft, MS04-011. Some of these Web sites include popular search engines, shopping, and auction sites. The configurations of these servers were altered to include a small file that is in turn added to each file called upon by users.

More on the Russian Trojan
Web site virus attack brunted—for now
Researchers warn of infected Web sites

The second part of the attack affects home and business users of the Internet and occurs whenever an Internet surfer stumbles upon a Web page served by an infected server. Unfortunately, you cannot immediately discern whether a page is infected, and some known pages include those hosted on major Web sites. The second part of the attack uses two vulnerabilities: one that can be patched with Microsoft security patch MS04-013, and another that can't be patched at this time. The flaws affected Internet Explorer only and allow malicious JavaScript from the infected Web server to execute on the desktop system. The JavaScript, in turn, downloads a remote-access Trojan horse from a remote site. This Trojan can record keystrokes used when logging into bank accounts and auction sites and using a credit card to make a purchase online.

Microsoft has created a page to update users on this attack. Web site hosts running Windows Server 2000 with IIS Version 5.0 should install the security patch MS04-011, if they haven't done so. End users should install MS04-013, if they have not already done so, plus they should increase their security settings within Internet Explorer and update their antivirus settings to protect against known Trojan horses that may be installed because of this attack.

Editor's Picks

Free Newsletters, In your Inbox