Posted on 06/25/2004 10:41:28 PM PDT by Ernest_at_the_Beach
Internet Attack Exploits Microsoft Software Flaws Fri Jun 25, 2004 08:25 PM ET By Duncan Martell SAN FRANCISCO (Reuters) - A potentially dangerous attack on personal computers by a virus designed to steal financial data and passwords from Web users rippled across the Internet on Friday, computer security experts said. The attack, which surfaced earlier this week and is known as the "Scob" outbreak, exploits a vulnerability in servers using Microsoft Corp.'s IIS software and has been called more dangerous than the recent "Sasser" and "Blaster" infections. The infected servers in turn exploit another vulnerability in Microsoft's Internet Explorer browser to install a Trojan Horse virus on the PCs of Web surfers who visit the infected Web sites, said Alfred Huger, senior director of engineering at Internet security company Symantec Corp. "All of this takes place while it looks like you're viewing the same Web page," Huger said. "You don't even know that parts of your browser have been redirected to another Web site."
The U.S. Computer Emergency Readiness team warned on its Web site that "any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code." The Trojan Horse places a keystroke logger on users' PCs and is designed to capture credit card numbers and passwords and send them back to a server in Russia, said Michael Murray, director of vulnerability and exposure at computer security firm nCircle Network Security.
By late Friday, however, the threat to users' personal data has been diminished, at least for now. "The server appears to have been shut down in the last eight hours," Murray said. "We don't know if it was shut down by authorities or whether it was accidental." The attack is more alarming than most because there are no patches available yet from Microsoft to fix the vulnerability in Internet Explorer that lets the hackers take control of computers, security researchers said. On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected. The company also suggested users set their browser security level to "high."
Experts also urged computer users to update their anti-virus software protection software Most anti-virus software has been updated so that it can prevent the Trojan Horse from being installed, but because there is no patch yet available, there's no way to prevent future attacks to install the virus, Huger said.
"The truly alarming part is there is no patch available for that vulnerability," Huger said.
|
What do the headers have to do with anything? I see no reason to believe they mean that MS software exists behind them.
Thanks for the information!
After it was detected on my machine I checked at Symantec and found the names of the two registry keys that "download.ject" writes and searched the registry for them. They were not there. I also searched my hard drives for Kk32.dll and Surf.dat. Again, nada. So it seems Norton successfully slams the door on this thing.
I cannot verify who owns the website that Bush2000
recommended for getting Spybot (security.kolla.de)
One WHOIS service shows NO REGISTRANT.
Another WHOIS service shows "INVALID"
Spybot Search and Destroy is a VERY good program and I
highly recommend it for cleaning up a system...
The official site, registered by the author of SPYBOT is
http://www.safer-networking.org/index.php?page=spybotsd
I don't know that Spybot will catch this bug yet.
So far, I've only heard that the Symantec tools can find it.
I also see post #46 has some more info
>>I see no reason to believe they mean that MS software exists behind them.
You 'might' be right. I might have been premature, because
I do not KNOW that Opera is a licensed repackaging of microsoft's IE.
However, their headers indicate they are COMPATIBLE with
IE. Therefore if the security bug is systemic to one of
the javascript commands that is unique to MS's definition
of javascript, then it COULD have the same problem.
I had not heard ANY security experts recommending opera
yesterday, but did hear of some recommending Mozilla/Firefox.
And some specifically said the bug does NOT affect
the later pair.
Before I switched from IE to mozilla, my weekly ad-aware and spybot scans would turn up an average of 50 spyware cookies.
Since the switch, the weekly scans might turn up 1 or 2 spyware cookies.
Regarding a switch to linux, I've been considering switching too, but still keeping windows as a partition for local work only.
> I recommend users do NOT install OPERA as an
> alternative to IE at this time, since that
> appears to be a SPINOFF from IE.
Unless there is evidence of an actual Opera user
being compromised during the current infection
cycle, I'd tend to dismiss the above as being
unsupported speculation.
> However, their headers indicate they are
> COMPATIBLE with IE.
I'd be more inclined to think that the headers
are spoofed so that Op users have less trouble
with bozo sites that claim to be MSIE-only, not
because they're hard-coded to some MS'ism, but
just because that's all they tested against.
Might as well go all the way to freedom and security with Linux!
Thanks. I use Opera, personally. Rather nice and you can block pop-ups, animations, whatever ticks you off.
Thank you. I ran Spybot yesterday and got rid of everything that was flagged.
Good idea! Depending on what other Windows software you typically use, you can usually either find an acceptable substitute or run the actual Windows program under WINE.
I haven't used Windows in many years. The only thing I miss is MS Flight Simulator. There is a Linux/UNIX flight sim, but it's not as good.
Yesterday, I deleted dozens of trojans/malware, and consequently, I recommended Firefox to myself. The bad programs tired me out.
"Fully patched Explorer users are attacked at will, silently,
I can testify to that. It took a few minutes to find what was spawning the bad programs and the 'parent process' always pointed to Internet Explorer. I came to the obvious conclusion as these experts did, an IE security leak.
From FireFox (with love),
Charlie
BTTT!
Everyone needs to read this!
Thanks for the ping! I'll check out these links.
Firefox and Thunderbird are now installed, everything went smooth except for maintaining my website (with Homestead), which wanted me to Install Netscape Plugins, I sent off a message to tech support and will maintain the website w/ IE until I hear back.
Painless, easy
Thank you
But I honestly don't know what to do next. My version of Norton Anti Virus isn't supported, my yearly subscription is almost up, I have a trojan in quarrantine, and I was wondering if I can install new Norton disks. I'm sure I have adware on my computer, maybe spyware (who knows?), and my search button has been hijacked by a different search engine - I had MSN - with no way to switch it back. I've been invaded, but the computer's still working. And I don't like the look of the Firefox Browser (too busy).
I know enough to know I don't know what to do! Yikes!
Time for a new CPU, I think.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.