Researchers warn of infectious Web sites

Net surfers beware: "Serious" flaws let compromised servers at major companies take control of computers via Internet Explorer.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos
Staff Writer, CNET

Security researchers warned Web surfers on Thursday to be on guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.

The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed. Those flaws allow the Web server to install a program that takes control of the user's computer.

The extent of the attacks is unknown, but the security community has seen numerous cases of personal computers infected when the user merely visits a Web site.

"It is not epidemic, but it is being seen," said Alfred Huger, senior director of engineering for security company Symantec. "Do we think it is serious? Yeah. It's a concern and it's insidious."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive advertising program, known as adware, that via the same two flaws in Internet Explorer. A large financial client called in Symantec in late April after an employee's system had been infected when he used Internet Explorer to browse an infected Web site. Last fall, a similar attack may have been facilitated through a , said sources familiar with that case.

This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."

More on the Russian Trojan
Web site virus attack brunted—for now
Infected Web site attack prevention

The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available.

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server (IIS). When a victim browses the site, the code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security to allow the attacker to access the computer.

Currently, researchers have two theories as to who is behind the attacks. The Internet Storm Center pointed to the similarities between these attacks and previous virus epidemics aimed at .

"There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing 'spamware,'" the group stated on its site. "We don't see any evidence that this attack is related to the construction of a DDoS (distributed denial of service) network or other type of typical zombie-based attack group."

However, Symantec believes that the attacks last fall and in April, which the current one most resembles, were conducted by online organized crime groups from Russia. The theory is supported not only by the fact that the server storing the malicious code is in Russia, but also by the sophisticated nature of the attacks, Symantec's Huger said.

"It's a group of people that have resources to bring to play," he said, adding that the attack programs were not amateur material. "The code wasn't pulled off a Web site; it was custom."

Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger.

NetSec's Houlahan advocated drastic action.

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.

Editor's Picks

Free Newsletters, In your Inbox