Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Bug Internet Explorer The Internet

Corporate Servers Spreading IE Virus [Updated] 1028

Posted by CowboyNeal
from the ill-and-infectious dept.
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
This discussion has been archived. No new comments can be posted.

Corporate Servers Spreading IE Virus [Updated]

Comments Filter:
  • yes (Score:5, Funny)

    by mwolff (594593) on Friday June 25, 2004 @06:56AM (#9526401)
    http://www.mozilla.org
  • by RDosage (694318) on Friday June 25, 2004 @06:58AM (#9526410)
    And I also wonder how many people will actually heed the call and switch their browser.

    However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.
    • by pyrosoft (44101) on Friday June 25, 2004 @07:02AM (#9526434)
      You mean like CNN [cnn.com]?
      • by linuxci (3530) on Friday June 25, 2004 @07:18AM (#9526511)
        You mean like CNN?

        A quick scan of that article and I couldn't see any mention of using an alternative browser, just the usual "update virus checker, etc"

        We need these sites to push the idea of Mozilla to the masses
        • by ninewands (105734) on Friday June 25, 2004 @07:59AM (#9526796)
          Quoth the poster:
          We need these sites to push the idea of Mozilla to the masses

          And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

          What is needed is for people (Slashdotters???) who provide "level one" tech support to family and friends to do what I did on my fiancee's computer about three weeks ago.

          Her installed IE would crash while launching and ask if she wanted to send an error report to MS. I ran ad-aware on her box and found about a dozen "browser hijacks" in amongst all the malware cookies, etc. I removed them, removed all the "Shortcuts to IE and Outlook Express from her desktop, installed Firefox and Thunderbird (along with the AdBlock and Things They Left Out extensions and a theme she liked), then made sure they were set as the default browser and mail program. Next I imported her Inbox from Outlook Express into T-bird. Finally, I turned on pop-up blocking and showed her how to use AdBlock to block ad servers.

          She's been happy as a clam ever since. To quote, "Getting on the 'net is fun again."

          Don't ask the media to do our job for us.
          • by repetty (260322) on Friday June 25, 2004 @08:22AM (#9526992) Homepage
            > And just WHY should CNN, or any other news service, "push" one
            > product over another? What possible interest could they have?

            Rhetorical questions, both. Historically, the media frequently takes positions on all sorts of things. Your questions imply that they don't.

            While I share you enthusiasm for a grassroots process of replacing bad software with good software, historically, the evidence that suggests that this might actually happen is pretty poor.

            Almost every non-technical person that I've met doesn't care about any of this stuff. In fact, if they did not suffer from viruses and pop-ups and spam and trojans, they would worry that something is actually wrong with their computer.

            --Richard
          • by pohl (872) on Friday June 25, 2004 @09:15AM (#9527511) Homepage
            And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

            I don't think they should push one product over another, but I would love to see them identify the product & vendor of the vulnerable software. Too often these stories are very generic, saying that the virus infects your computer when you visit a website -- whereas they should say that the virus infects Microsoft Windows(tm) when you use Microsoft Internet Explorer(tm) to visit a website.

            In addition, rather than saying that you should just keep your anti-virus software up-to-date, they should offer the useful tidbit that the virus could also be avoided by using alternatives the vulnerable products. They don't have to mention Opera or Mozilla. They don't have to mention Linux or MacOS X. Just let the users know that there are other things they could do beyond paying Symantec (et al) for a more recent anti-virus package.

            What's possible interest could they have in doing this? To inform. That's a novel concept for a news source, I know...but I'd still like to see it happen now & then.

        • by calethix (537786) on Friday June 25, 2004 @08:04AM (#9526848) Homepage
          yahoo news had this [com.com] article from zdnet.
          In this article, it says (towards the bottom)
          "Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."

          What I found somewhat funny was this quote (from NetSec's chief technology officer)
          "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now"
          Does that mean he forsees a time in the near future when this kind of problem will go away? I don't.
    • by NeoThermic (732100) on Friday June 25, 2004 @07:06AM (#9526455) Homepage Journal
      >> And I also wonder how many people will actually heed the call and switch their browser.

      Very very few. I've got firefox installed on my family computer. Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

      However, while Mircosoft are normally very good at patching these secuirty faults, this time they have totally failed. The blame doesn't rest with stubborn users who refuse to switch. The blame rests with Microsoft's inability to provide a patch in time.

      Once they do supply a patch, it will then turn into the case of a supid user who doesn't patch. (and my server's apache logs show this, I'm still getting attacked by Code Red from infected servers who have not been patched).

      Hopefully Microsoft will adapt to the pressure created by the users not being happy with the situation and release a patch.

      Then again, looking at the age of IE and the number of requests to make a better version added to the time its taken them to respond, I'm stating a pool for those who want to bid on the release date of the patch. All dates start from 2005 onwards...

      NeoThermic
      • by tdemark (512406) on Friday June 25, 2004 @07:24AM (#9526553) Homepage
        Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

        If you would be so kind, I am really curious what the reasons were.

        What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla."

        I have had no people complain or ask to have the "old" version back. In fact, the only thing I have heard is praise ("It's so fast", "I don't get pop-ups anymore", etc).

        I've done this for about 60 users (45 computers), so far.

        - Tony
        • by Ford Prefect (8777) on Friday June 25, 2004 @07:33AM (#9526610) Homepage
          You can change the name of Firefox completely with Firesomething [cosmicat.com] - although I use it primarily for the random comedy names.

          Go, Mozilla Firebadger!
        • by IANAAC (692242) on Friday June 25, 2004 @08:12AM (#9526909)
          Kind of a shame that you have to lie about what browser you're installing for them, don't you think? In the long run you're doing a disservice to the Mozilla folks by passing it off as IE, not to mention downright deceit to the user.

          A much better approach would be to sit down with the users with both browsers, and surf to good and bad sites with both to demonstrate the differences.

          • by Anonymous Coward on Friday June 25, 2004 @12:55PM (#9530231)
            Oh yeah right. Like my friends and family don't think I'm *enough* of a loser.

            Now I'm supposed to sit down with them for a "face-to-face" about two browsers which are *identical* from their point of view?

            "Susan, come here for a minute."

            "Why? I've got to go in 10 minutes, I'm really busy."

            "No this is really important."

            "Oh okay"

            "I wanted to show this web browser"

            "Yeah, explorer, so what?"

            "No!!! This is FIREFOX!! AN ADVANCED OPEN-SOURCE WEB BROWSER!! MUCH MORE SECURE!!!"

            "It looks like explorer to me."

            "Well, it LOOKS like explorer but it's better. Look here, this is etrade.com, it looks just like explorer right? open source rules!"

            "Uhh, yeah, it looks exactly the same to me. Well don't mess up my computer I have to go."

            "WAIT!!! If there had been a virus there on etrade.com you WOULDN'T HAVE GOTTEN IT!! ISN'T THAT AWESOME!!!!!!!!"

            "You are such a loser."
        • by SilentChris (452960) on Friday June 25, 2004 @08:14AM (#9526928) Homepage
          "What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla.""

          So the only recourse to introducing the new software is to *trick* people into using it? Doesn't sound like a very effective (or fair) argument.
        • by rembem (621820) on Friday June 25, 2004 @12:09PM (#9529614)

          The problem is that most people think that that Blue E == The Web == The Internet. E.g. many don't see they're also using internet when they're e-mailing. When you say "I'm gonna remove IE and give you firefox.", they think "He's gonna remove my internet access for some fire security reason! Ahrg!" They somehow just can't grasp what the internet is. What they see is the web, therefore they assume that the web == the internet. To start 'the internet', they click the blue E, therefore they assume that the blue E == the internet.

          Somehow you've got to educate those people that The Internet != The Web != Blue E. Now you're just abusing their primitive assumptions. ;)

      • by Mr_Silver (213637) on Friday June 25, 2004 @07:47AM (#9526696)
        I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

        I'm a long time IE (then myIE2) user and have just moved to Firefox. Some of the things as a long term IE user I dont like is:

        1. The default theme is horrible. After some digging I found Qute which is far nicer on apparantly used to be default. Why they changed it is silly.
        2. The installer has a checkbox for recommended plugins, but it isn't active. Probably due to it being less than version 1.0. I think that when it does become active it should be on by default. It is worth noting that although geeks love plugins, the normal user is somewhat slightly less ameniable to the idea (especially when the plugin is considered "essential").
        3. The settings aren't very newbie friendly. I found i had to take a lot of time setting it up. There are settings hidden away that I have to use "about:config". I should never have to do that - especially not for the ones which aren't completely obscure. It kind of reminds me of Linux (firefox) vs Windows (ie). One is more powerful and customisable, but you have to work a lot at it to get it the way you like. The other isn't, but comes with basic settings that 80% of users are happy with.
        4. Error messages in browswer is not on by default. Why not? Why is the setting hidden away? 1995 is not calling. Lets move on.
        5. The button bar has about 4 buttons. I don't think it's too much to have, by default, new tab, back, forward, stop, reload, home, bookmarks, history, print and downloads. Power users can remove them, beginners will be fine.
        6. Google search by default takes you to the "I feel lucky" page. What was wrong with the normal search?
        7. No good support for IE favourites. No wizard, for importing, no ability to automatically detect them (I had to export then from IE and import), no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!
        8. Still can't work out how to make shift-click open into a new tab. One extension will allow this - but it doesn't work with the (practically essential) tabbrowser extensions.
        9. Loading times are slow. A splash screen that indicates it's loading would be nicer than sitting looking at my desktop wondering if I really did click the icon. Or faster loading times. But there is no option in the config for that. Looks like i'll have to dig again.
        Having said all that though:
        1. There is some neat functionality both with and without all the plugins. Although having said that I have no idea what the neat plugins are. It's often a case of pick what looks good and go for it.
        2. The adblock extension is very good.
        3. I like the way I can put folders into the links bar and they drop down with my websites. Especially the open all in tabs.
        Now I'm sure I'll get 50+ posts of people telling me that I'm dumb, if I do x, y and z then I can get this, I just need to edit a file, I need to install this plugin, etc.etc. but the point is that I shouldn't need to post complaints to slashdot to get the answers, nor should i need to surf the web, use google or anything else.

        Nothing I've asked for is particulary difficult, it just makes migrating less painful.

        But yes, Firefox is very good. Got a few rough edges in the userbility department, but very good.

        • Importing Favorites. (Score:4, Informative)

          by SpinyManiac (542071) on Friday June 25, 2004 @07:58AM (#9526790) Homepage
          Importing Favorites is easy.

          Either let it import them during installation (it will prompt you), or go to the File menu and click on Import...

          I'll assume you're having just a bad day. ;)

          My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.
          • by Skweetis (46377) on Friday June 25, 2004 @08:44AM (#9527204) Homepage
            My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.

            It's not too obvious or intuitive. Go to Tools->Account Settings->[Your Account]->Composition and Addressing and de-select "Compose Messages in HTML Format" (This is for Thunderbird 0.7). I don't know why they put it here and not with the rest of the Compose options under Tools->Options. Oh, well.

          • by Manitcor (218753) on Friday June 25, 2004 @09:00AM (#9527344) Homepage
            Quoting the Parent:

            no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!

            --
            I think this is the big issue here, IE is tied to the OS in many ways and bookmarks are one of them. Its not as easy as simply importing. The replacement browser should provide the neccassary hooks so that the OS can get at the bookmark list and use it as neccassary.
        • Some responses:
          1. This has been debated to death by Mozilla fans. Just give it some time, or download another theme.
          2. Extensions will be included in 1.0, I think. But there's nothing really missing for someone switching from IE; most extensions are icing for power users.
          3. I find Firefox settings very nice for a beginner/someone switching from IE. If you need to dig into about:config, you're not a stereotypical user.
          4. Because they are not working right yet. Check bugzilla if you want to know the details.
          5. This, I agree with. I'd remove all the buttons immediately, but for people coming from IE, it would be useful.
          6. No idea, I have a keyword ('g') set up for google searching.
          7. Here, you're just wrong. The installer asks on install if you want to import settings from IE, and I believe there's also a menu item to do it later.
          8. That's because shift-click saves a page. Try ctrl-click.
          9. I find it is instantanious on my 900 MHz Athlon, but this depends a lot on your computer. For me, it's the opposite: IE draws the window borders, then sits there for a few seconds before I can do anything with it. And Firefox still speeds up with each release.
          In short, you don't sound like a typical user; you're more likely a power user, and as a power user, you're expected to dig for a few options. Otherwise, the options dialog would be too overwhelming.
      • by SilentChris (452960) on Friday June 25, 2004 @08:17AM (#9526952) Homepage
        "and even gone to the point of deleting IE"

        May I ask why? Your users (family) are obviously telling you something: they don't like your solution. In addition, if you're actually deleting IE (not just removing the icon) you're probably breaking a lot of apps like Norton Antivirus that requires the MSHTML.dll (among others), making things worse.

        Always make new software an option, not "trick" the user or remove their old software. Explain the reasons for the change and the benefits of the new software. If they don't find any, obviously your argument doesn't hold as much weight as you thought it would.
    • by samjam (256347) on Friday June 25, 2004 @07:24AM (#9526554) Homepage Journal
      I have thought for years that Ziff-Davis were Microsoft Shills. [I don't mean all MS software is bad, I just mean Ziff-Davis seemed impervious to facts in their reviews]

      If ZDNet is saying to stop using IE things must be bad.

      I have tried to depart from IE 2 or 3 times but failed. As soon as I type this message I make the move for good. Hello Mozilla.

      Sam
    • by h00pla (532294) on Friday June 25, 2004 @07:33AM (#9526607) Homepage
      Microsoft will always react by protecting their interests. If it's in their best interests to fix it quickly, they will. It it isn't, they won't.

      Who I am beginning to hope will start to react to this kind of thing is our governments. As we depend on the WWW/Internet for so much of our daily lives, I think it's time for a summit to be called about improving the state of "Information Superhighway". This particular highway is beginning to look like one of these roads you hear about in Afghanistan where you can't get from point A to B without something nasty happening.

      What we need is a solution to the monoculture of Microsoft and not just another fine (like what recently happened with he EU) that MS will just write off in their next quarterly statement. We need them to skip the fines and simply say: Fix your crappy software or we will shut you down. It will never happen, of course.

  • FUD ? (Score:4, Insightful)

    by mirko (198274) on Friday June 25, 2004 @07:00AM (#9526422) Journal
    They don't mention that much names.
    I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
    I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.
  • Don't Forget Opera (Score:5, Informative)

    by koniosis (657156) <[koniosis] [at] [hotmail.com]> on Friday June 25, 2004 @07:00AM (#9526423)
    Opera [opera.com] also offeres a very decent alternative to both IE and Mozilla/Firefox.
  • by mrdaveb (239909) on Friday June 25, 2004 @07:00AM (#9526424) Homepage
    I think I'll just have to be content that great browsers like Firefox are available for me to use, because obviously the masses are never going to be interested.
    With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!
  • by Anonymous Coward on Friday June 25, 2004 @07:01AM (#9526428)
    The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.

    But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.
    • by bigberk (547360) <bigberk@users.pc9.org> on Friday June 25, 2004 @08:05AM (#9526852)
      The disaster we all knew was going to happen.
      Nope, the disaster hasn't happened yet. When it happens, the economy will collapse and what's left of Microsoft will be hauled before court. The FBI or some other government body will use its existing evidence to show that Microsoft knew about the risks posed by its monoculture OS/desktop yet failed to take the necessary measures to protect consumers and businesses. It will be a grey area but it won't matter, since mainstream IT will be shattered. The nerds will rebuild, and will be filthy rich. Women will throw themselves at us.
  • by Mengoxon (303399) on Friday June 25, 2004 @07:01AM (#9526431)
    ...that enough people buy spam goods to pay for organized crime.
  • by ibjhb (173533) on Friday June 25, 2004 @07:02AM (#9526433) Homepage Journal
    Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.
    • by Anonymous Coward on Friday June 25, 2004 @07:36AM (#9526626)

      This isn't a new technique, I remember the web development agency I worked for a few years back being caught out by a similar effect. A co-worker took some work home with him, and his (unpatched, unfirewalled, broadband-connected) IIS installation was infected. When he synced up with us the next morning, he infected about two hundred websites, some of them were very high profile. Hundreds of thousands of users were exposed.

      It was a stupid company, and I was always trying to get them to change policies that let things like this happen. When we started getting phonecalls from clients about this, the owner blamed stupid kids with too much time on their hands, and said we had absolutely nothing to do with it, couldn't be blamed, etc. All our clients fell for it, hook line and sinker. I think the owner had himself convinced by the end of the day (he was the type that refused to accept he was capable of screwing up).

      It's a sad state of the industry that we were responsible for infecting thousands of people and we got away with it scot-free.

  • by mgkimsal2 (200677) on Friday June 25, 2004 @07:03AM (#9526435) Homepage
    This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

    "There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."

    The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

    "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.


    WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?
    • by mgkimsal2 (200677) on Friday June 25, 2004 @07:10AM (#9526470) Homepage
      Replying to my own post: :)

      If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.

      I know the analogy isn't all that great, but it's the best I can do right now. :)
      • by The_REAL_DZA (731082) on Friday June 25, 2004 @07:22AM (#9526537)
        If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.
        Oh, you'd not only have people wanting to go there, you'd have people determined to go there (whether just to "test their mettle" or because they're crazy or just stupid or whatever), and the authorities would physically block access to the site by closing roads and posting armed security personnel around the perimeter. That's what's missing with the internet: a truly controlling authority with rapid response capabilities to answer "emergency" calls such as we might expect to come in to the local 911 switchboard, plus the ability (and willingness) to quarantine "sites" that pose a potential "public health risk" to the rest of the 'net. That's both bad (from a potential-victim standpoint) and good (from a personal liberties standpoint), but there's got to be some middle ground better than just running the internet "WFO" and depending on the good nature and virtue of the general public.
    • by Gzip Christ (683175) on Friday June 25, 2004 @07:20AM (#9526525) Homepage
      WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one.
      They are probably not listing the sites in order to prevent (or minimize) a consumer backlash from consumers againts the sites and then a subsequent backlash from the companies against Microsoft. I tell you what - if I found out that any of my banks were irresponsible enough to be running infected servers like this I would immediately move my accounts elsewhere. I'd also be very eager to participate in any class action lawsuit against said institutions. If you don't know how to drive you stay off the road. If you don't know how to keep your servers secure, stay the hell off the Internet. My banks have a fiduciary responsibility to protect my money and if they are knowingly running an infected server, I would consider that a breach of their responsibility, and I would hope that the courts agree. This is like a brick and mortar bank keeping money and records on location when it knows that the locks on the doors don't work!
    • by flowerp (512865) on Friday June 25, 2004 @07:26AM (#9526561)

      Nope, I think the real reason is protecting the businesses.

      Even if the sites' admins had aleady removed the infecting code, a "dangerous sites" list like that would likely prevent many potential visits to the site for weeks to come.
    • by Raindeer (104129) on Friday June 25, 2004 @07:40AM (#9526641) Homepage Journal
      Ok, the article states: To prevent further abuse, the list is not published. The exploit is server side, not client side according to reports. Admins of the servers must have been warned and hopefully have cleaned the server already by now. So the public at large is not under threat from their high-profile site. Then not publishing the list is logical under the following reasoning.

      What if it is a Zero day exploit on IIS. There is no fix yet. Admins are struggling to clean the servers, but have no clue if what they did to prevent whatever is going on, actually works. Criminals all over the world will be searching for clues on what the exploit is and will want to actively exploit it as well. We don't know what is going on, so it might be possible to put a nice little rootkit undetectible on the server and later use it for interesting purposes. By not naming the sites they are putting an extra, albeit thin, layer of protection around the sites. The list of websites for criminals to target, will be much longer than it could have been if each and every site that was affected would be named on the internet. Most sites are (hopefully) clean right now, so the public is not at risk, but until we know what goes on, the server sure is.
  • Security Advisories (Score:5, Informative)

    by Lars T. (470328) <Lars DOT Traeger AT googlemail DOT com> on Friday June 25, 2004 @07:03AM (#9526436) Journal
    US-CERT [uscert.gov] and Internet Storm Center [sans.org]. Less talk, more information.
  • by arikol (728226) on Friday June 25, 2004 @07:03AM (#9526437) Journal
    I know its not fashionable around these parts, being closed source, but Opera (www.opera.com) really is the bees knees. On my machine it renders faster, everything is snappier than mozilla/firefox and has more features than you can shake Darl Mcbride at. Its not free, true, but costs about the same as a pop-up blocker for Internal Exploder Plus, Operas built in mail client is wonderful Not that Im badmouthing firefox, I have that too, I just like Opera even better
  • Hmmm.... (Score:4, Interesting)

    by T-Keith (782767) on Friday June 25, 2004 @07:03AM (#9526438)
    I've always wondered how my coworkers who "only" go to major sites like Yahoo and Ebay, pick up all sorts of spyware and adware.
  • by howman (170527) on Friday June 25, 2004 @07:05AM (#9526450)
    It has just been brought to our attention at the root of the problem this site [microsoft.com]

  • Ask Microsoft (Score:5, Informative)

    by m00nun1t (588082) on Friday June 25, 2004 @07:08AM (#9526462) Homepage
    http://www.microsoft.com/security/incident/downloa d_ject.mspx

    Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to /.) that a patched PC is safe.
  • by Solar Limb (673519) on Friday June 25, 2004 @07:08AM (#9526463)
    Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.
  • by Paulrothrock (685079) on Friday June 25, 2004 @07:09AM (#9526466) Homepage Journal
    My dad had horrible spyware gunking up his PC at home. (Which he bought against my recommendation of a Macintosh.) I used my limited knowledge of spyware to clean it up, and told him to use Firefox. Next week, the default browser was back to IE. I changed it because I thought Windows had done something. The following week he told me "I don't want to use Firefox. Nothing works in it!"

    He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.

    Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.

    And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.

  • How to kill it (Score:5, Informative)

    by SpinyManiac (542071) on Friday June 25, 2004 @07:10AM (#9526467) Homepage
    I think this is the one I caught at work.
    No security restrictions in IE will stop it.

    I caught it here:
    http://www.yetanotherhomepage.com/j7xx/j7xx .html
    There's a reason that this one isn't a link. ;)

    I killed mine like this (Windows 2000):

    Delete these:
    C:\Winnt\System32\Swin32.dll
    C:\Winnt\Sys tem32\Automove.exe
    C:\Winnt\System32\Trans.exe

    And this:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\Curr entVersion\Run
    [Adstartup] C:\Winnt\System32\Automove.exe

    Seek and destroy Swin32.dll in the registry
    Take out all of the CLSIDs it occurs in.
  • Infected ferociously (Score:5, Interesting)

    by phil-is-math (602835) on Friday June 25, 2004 @07:10AM (#9526473)
    I was wondering where I got this from. I spent 4 hours removing Malware from my computer the other day. Since I don't tend to visit pr0n sites at work, I had know idea how I was so badly infected until now... Ad-aware, spybot, and Nortons did not find the evil software. My process list was filled with MANY unkillable process with random names. Every time I killed one, it would start again with a new name. I found the executables on my drive and deleted them, they would RE-CREATE themselves!! Also, it looked like one of the installed viruses(?) would download new Malware! I was wondering, is this a virus? is it spyware? It was hard to classify as far as I could tell and it SUCKED.
  • I call bullshit (Score:5, Insightful)

    by JUSTONEMORELATTE (584508) on Friday June 25, 2004 @07:10AM (#9526474) Homepage
    "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

    I don't buy it.
    If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
    The whole thing stinks of FUD tactics, and the last line in the article seals it for me:
    NetSec's Houlahan advocated drastic action.


    "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
    Puleeeeeze

    --
  • Undisclosed sites? (Score:4, Interesting)

    by SlashDread (38969) on Friday June 25, 2004 @07:13AM (#9526485)
    WTF is that? So it can infect the rest of the world?

    This reeks of criminal negligence IMHO, they know of a crime, and they wont tell how or who will do it to you..

    "/Dread"
  • by Lxy (80823) on Friday June 25, 2004 @07:14AM (#9526491) Journal
    This "virus" is not detected by antivirus software, according to the article. Does anyone know why? I run eTrust on my IIS boxen. (yes, I have a few, no I didn't put them there, no, they shouldn't be there, but our dev team wants ASP) Etrust is a fine product, but supposedly this offending code isn't detected. That bothers me a little, but this leads to another question.

    Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.

    Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?
    • by arrogance (590092) on Friday June 25, 2004 @07:42AM (#9526658)
      According to M$ [microsoft.com], if you've applied the update [microsoft.com], then you're OK.

      The Internet Storm Centre [incidents.org] has good information about what will be on your box if you're already infected.
      One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included: Code snippits.doc iis6xx.dll (multiple copies, where xx varies) iis7yy.dll (multiple copies, where yy varies) Download_Ject_Symantec.doc ipaddress.txt issue.csv ads.vbs agent.exe ftpcmd.txt security_log.rtf
      I think they're in \winnt\system32\inetsrv

      Sorry about the duped links but more fixes, less FUD please. Yes, evil empire blah blah blah, but how about we tell people how to fix the problem instead?
  • by G4from128k (686170) on Friday June 25, 2004 @07:15AM (#9526496)
    So many places say "this site best when viewed with IE." IANAL, but it seems irresponsible for a site to recommend IE, especially if site handles sensitive materials such as financial services or downloadable software. If IE includes known vulnerabilities, can sites be held liable for making that recommendation?

    Any thoughts from the more legally minded amongst us?
  • by SimplyCosmic (15296) on Friday June 25, 2004 @07:17AM (#9526509) Homepage
    The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT [uscert.gov] and Internet Storm Center [sans.org] only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.

    My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.
  • by onlyjoking (536550) on Friday June 25, 2004 @07:18AM (#9526514)

    It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.

    Javascript menus and first pass form validation, anyone?

    • by julesh (229690) on Friday June 25, 2004 @08:23AM (#9527010)
      I *always* try to develop web sites that work with javascript disabled. It isn't always easy to make this coincide with client requests, but you can usually do it (even if you have to have a no-js version).

      I've worked in an environment before (a corporate centre for a major UK bank) where javascript was stripped from downloaded web pages at the firewall.
  • Microsoft's Response (Score:5, Informative)

    by prandal (87280) on Friday June 25, 2004 @07:22AM (#9526535)
  • by kahei (466208) on Friday June 25, 2004 @07:30AM (#9526593) Homepage
    I really wish I could switch to Mozilla (ok, Firefox). My co-workers are switching to Firefox. My users are switching to firefox. But I can't, because I have no idea how to implement my pet project [jbrowse.com] as a mozilla-type plugin.

    All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??

    PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.

    Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.

    I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.

  • by Jarnis (266190) on Friday June 25, 2004 @07:35AM (#9526617)
    http://www.f-secure.com/v-descs/padodorw.shtml [f-secure.com]

    Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.
  • What about this? (Score:5, Informative)

    by GrumpyDeveloper (613950) on Friday June 25, 2004 @07:36AM (#9526620)
    There's apparently a newly discovered exploit in IE that can compromise an IE user's machine THROUGH AN IMAGE ON A WEB PAGE.

    So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here [eweek.com].
  • by afriguru (784434) on Friday June 25, 2004 @07:37AM (#9526632) Homepage
    I can't operate without the google toolbar, which has no complete mozilla equivalent. There are many sites which people can't do without which use Internet Explorer. Many tools that work only with the browser. Apart from that, Firefox is the ideal browser at the moment.
  • 0-day? (Score:5, Funny)

    by maximilln (654768) on Friday June 25, 2004 @07:56AM (#9526771) Homepage Journal
    I can't help but chuckle every time these come out because all I hear in my head is the line,"All viruses are created after the exploit has been announced."

    Keep those 0-day exploits coming, boys.
  • by tobechar (678914) on Friday June 25, 2004 @07:57AM (#9526777)
    as I quiety tap the nails of the coffin.
  • Old news (Score:4, Informative)

    by swm (171547) <swmcd@world.std.com> on Friday June 25, 2004 @08:18AM (#9526956) Homepage
    In the the 2001 May Cryptogram [schneier.com], Bruce Schneier writes
    I am regularly asked what the average Internet user can do to ensure his security...
    6. Browsing. ... If at all possible, don't use Microsoft Internet Explorer.
    11. General. ... If possible, don't use Microsoft Windows.
  • by bigberk (547360) <bigberk@users.pc9.org> on Friday June 25, 2004 @08:18AM (#9526960)
    Looking at the stats on my web site, which receives over 1000 unique visitors/day on average (and almost all of them are Windows users because I distribute Windows software)... here are this year's proportions:

    Jan: IE 73%, Mozilla 12%
    Feb: IE 76%, Mozilla 15%
    Mar: IE 75%, Mozilla 16%
    Apr: IE 75%, Mozilla 16%
    May: IE 71%, Mozilla 19%
    Jun: IE 71%, Mozilla 20%

    And for some historical reference, in July of 2003 I saw: IE 78%, Mozilla 11%.
  • by ManyLostPackets (646646) on Friday June 25, 2004 @08:24AM (#9527012)
    I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.

    I'm not talking simple forms here, this for Foreign Exchange transactions.

    Certificates, multiple passwords, encryption...all moot
    • by Glock27 (446276) on Friday June 25, 2004 @08:49AM (#9527245)
      I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.

      Sounds like your IT director has done a horrible job and should be fired.

      You would have been much better off implementing that stuff in a browser agnostic, standards compliant way, using Java for any heavy lifting required.

  • by jonasmit (560153) on Friday June 25, 2004 @08:41AM (#9527161)
    "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
    Uh, use a different browser...remind me to never buy anything NetSec says (whoever they are)or sells henceforth.
  • by mrkitty (584915) on Friday June 25, 2004 @08:47AM (#9527227) Homepage
    http://www.google.com/search?q=%22217.107.218.147% 22&hl=en&lr=&ie=UTF-8&start=20&sa=N&filter =0 Personally I'd rather know the list so I don't get infected, but then again I use netscape so....
  • by Glock27 (446276) on Friday June 25, 2004 @09:06AM (#9527402)
    OK, I've read plenty of "just use Mozilla" posts and backpatting here, but IMO we should be thinking about Mozilla/Firefox security as well.

    True this particular exploit didn't affect Mozilla/Firefox, but it is certainly possible that something similar might in the future.

    So, with that in mind, what new security features would help make Mozilla/Firefox even safer and better?

    These come to my mind:

    • A trusted site list to which I can easily add the current site, and indicate whether it can load images, run scripts and/or download applets.
    • An option that will pop up a dialog asking for permission if an untrusted site tries to do any of the above.
    • Some type of "zone" concept similar to IEs so that internal (company) sites can have more privileges than external sites.
    • Capability of central administration and control (in a business setting) so that users can easily be protected from themselves in a business or large network environment.
    Thoughts? Can some or all of this be easily implemented as Firefox extensions?

    If Mozilla/Firefox is clearly a better, more secure solution, it will gain marketshare rapidly.

  • by allio (791515) on Friday June 25, 2004 @09:34AM (#9527729)
    Layers of protection.

    Base: An up to date host file [mvps.org]. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
    Second: Proxomitron [proxomitron.info]. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters [computercops.biz] to get rid of any sort of ad that slips through.
    Third: Firefox [mozilla.org]. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
    Fourth: In-browser plugins such as Adblock [mozdev.org], which probably won't do much to stop this particular problem, but are nice to have around regardless.

"Anyone attempting to generate random numbers by deterministic means is, of course, living in a state of sin." -- John Von Neumann

Working...