Corporate Servers Spreading IE Virus [Updated] 1028
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
Re:yes (Score:2, Informative)
Don't Forget Opera (Score:5, Informative)
What really happens... (Score:5, Informative)
Re:Wonder How Microsoft Will React (Score:4, Informative)
Security Advisories (Score:5, Informative)
Ask Microsoft (Score:5, Informative)
Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to
How to kill it (Score:5, Informative)
No security restrictions in IE will stop it.
I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7x
There's a reason that this one isn't a link.
I killed mine like this (Windows 2000):
Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sy
C:\Winnt\System32\Trans.exe
And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind
[Adstartup] C:\Winnt\System32\Automove.exe
Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.
Re:The great firewall of ... Western countries (Score:2, Informative)
Microsoft's Response (Score:5, Informative)
Re:Wonder How Microsoft Will React (Score:5, Informative)
That would work, but the article states that there are no patches as of yet for these two secuirty holes...
From the article:
"The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed."
NeoThermic
Microsoft Published Workaround (Score:2, Informative)
Home users [microsoft.com]
And make sure IIS dudes applies all former patches!
Re:MSN Search is infected (Score:2, Informative)
Try:
http://search.msn.com/blah.exe
Re:Is it an IE only exploit? (Score:5, Informative)
Re:Wonder How Microsoft Will React (Score:4, Informative)
Not sure what article you are reading (maybe it's changed?).
This one [com.com] (from ZDNET, which is the one linked to in the story) states:
"This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch."
Can anyone tell me how to develop for Mozilla then (Score:5, Informative)
All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??
PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.
Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.
I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.
I had been infected. (Score:3, Informative)
It ended up embedding itself everywhere in my registry. After an hour of deleting all registry entries and even uninstalling IE6 and then reinstalling it, My search section of IE was still Lycos and banner ads would show up in it.
The only option i had left was to format and reinstall micosux windcrap.
Re:Wonder How Microsoft Will React (Score:5, Informative)
Go, Mozilla Firebadger!
The exploit installs fun stuff (Score:5, Informative)
Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.
What about this? (Score:5, Informative)
So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here [eweek.com].
How to tell and Fixes (Score:5, Informative)
The Internet Storm Centre [incidents.org] has good information about what will be on your box if you're already infected. I think they're in \winnt\system32\inetsrv
Sorry about the duped links but more fixes, less FUD please. Yes, evil empire blah blah blah, but how about we tell people how to fix the problem instead?
Re:The Google Toolbar & Such (Score:4, Informative)
http://googlebar.mozdev.org/
And please name a few sites that only work with IE.
Re:MSN Search is infected (Score:5, Informative)
AVG free edition [grisoft.com] sygate personal firewall [sygate.com] and Spybot seach and destroy [google.com] (site down) will complete your collection nicely. Might want to have a look at Hijack this [spywareinfo.com] and this tutorial [wizardsofwebsites.com] as well.
Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE [vim.org] gets ported to Linux, I'll swap ;-)
Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.
Re:The Google Toolbar & Such (Score:2, Informative)
Partly... (Score:3, Informative)
It does say a patched PC is safe, but you need Windows XP Service Pack 2 RC2 in order to be safe.
However, it does say that Windows 2000 Servers with IIS 5.0 without an already released patched are the infecting machines.
Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.
Importing Favorites. (Score:4, Informative)
Either let it import them during installation (it will prompt you), or go to the File menu and click on Import...
I'll assume you're having just a bad day.
My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.
Re:Little things (Score:5, Informative)
I wont comment on your other problems with switching. But you could at least try these things with FireFox. As it turns out both of those hotkeys do exactly the same thing as IE under FireFox. Just tried it with 0.9.
Re:Don't Forget Opera (Score:3, Informative)
Here is my postulate: The only way you can trust any software is through independent audit of the source code.
Whether that's you yourself, or somebody to whom you have paid a sum of money. Relying on what the software supplier -- or their hired goons -- have said, is asking for trouble. Somewhere in between the two extremes, lies a third option: just let enough ordinary people, independent of yourself and the author, look at the source code -- and cling with all your might to the assumption that if anybody spots something nasty, then they will speak out, just because they have no good reason not to.
If anyone knows another way that software can be made trustworthy, beside independent source audit, please feel free to enlighten me. Until such a time, I stand by my assertion that open source software is more likely to be trustworthy than closed source, varying with the validity of the aformentioned Great Assumption.
Re:Wait, you mean this ISN'T a vulnerability in IE (Score:3, Informative)
So mozilla etc are still safe.
Re:How to kill it (Score:3, Informative)
I don't think this is correct. If you turn off "Active Scripting" for the "Internet Zone" you should be invulnerable, AFAIK. Specifically, it is a Javascript exploit.
Check out the CERT advisory [uscert.gov].
Re:Is it an IE only exploit? (Score:4, Informative)
Old news (Score:4, Informative)
Re:Hmmm.... (Score:3, Informative)
Why alternative browsers may not be possible (Score:5, Informative)
I'm not talking simple forms here, this for Foreign Exchange transactions.
Certificates, multiple passwords, encryption...all moot
Here's a few (Score:1, Informative)
Microsoft support [microsoft.com] - try to search the knowledge base.
Here's [yetanotherhomepage.com] a non MS one.
It amuses me that you can't search MS's knowledge base to fix IE if IE is dead. On the other hand, Windows is probably dead if IE won't run.
Re:Wonder How Microsoft Will React (Score:5, Informative)
- This has been debated to death by Mozilla fans. Just give it some time, or download another theme.
- Extensions will be included in 1.0, I think. But there's nothing really missing for someone switching from IE; most extensions are icing for power users.
- I find Firefox settings very nice for a beginner/someone switching from IE. If you need to dig into about:config, you're not a stereotypical user.
- Because they are not working right yet. Check bugzilla if you want to know the details.
- This, I agree with. I'd remove all the buttons immediately, but for people coming from IE, it would be useful.
- No idea, I have a keyword ('g') set up for google searching.
- Here, you're just wrong. The installer asks on install if you want to import settings from IE, and I believe there's also a menu item to do it later.
- That's because shift-click saves a page. Try ctrl-click.
- I find it is instantanious on my 900 MHz Athlon, but this depends a lot on your computer. For me, it's the opposite: IE draws the window borders, then sits there for a few seconds before I can do anything with it. And Firefox still speeds up with each release.
In short, you don't sound like a typical user; you're more likely a power user, and as a power user, you're expected to dig for a few options. Otherwise, the options dialog would be too overwhelming.Re:Little things (Score:3, Informative)
The only reason I still have IE is... (Score:2, Informative)
Re:yes (Score:5, Informative)
http://www.mozilla.org
Two things:
1. Don't use an account that has elevated priviledges.
2. Don't install the latest security patches for I.E. 6.0.
The article mentions that the exploit takes advantage of the recently announced vulnerability in I.E. that an advertising company was exploiting. My testing of this vulnerability revealed that it would be unsuccessful if you didn't use a priviledged account. And oddly, at least with the previous exploit, the code wouldn't run until I installed the latest security updates. A generic install of Windows XP or one with SP1 didn't appear to work. Odd.
How to configure Internet Explorer (Score:3, Informative)
2. Go to Control Panel | Internet Options | Advanced | Multimedia, and uncheck "Show pictures". (FDA warning: I have not verified that this setting prevents this image exploit from infecting your system, since I don't know of any infected servers. But it will at least force you to use the alternate browser we installed in Step 1.)
3. Switch to the Security tab, and move Internet into "high". This will disable most forms of scripting. However, It also disables the Windows Update site. You can add windowsupdate.microsoft.com to a list of trusted sites (it will give you the instructions when you try to visit it in this mode), but I'd be very careful with that, since I do not doubt that the Windows Update site is very high on the crackers' lists of sites to infect. (Wouldn't that be ironic?)
FWIW, I don't know whether setting Internet zone security to "High" disables the automatic Windows update feature or not. I'll tell you as soon as there's a critical update to be notified of.
Re:What about this? (Score:4, Informative)
Re:Wonder How Microsoft Will React (Score:1, Informative)
1. Yes the previous theme was better. But it's _real_ easy to install new themes.
2. no idea.
3. The settings have been carefuly chosen to be newbie friendly. I haven't had to touch anything. What is not newbie friendly about it's default behaviour?
4. nfi what you're talking about here.
5. Less is more for a new user. Just make it easy for a power user to add buttons. By default Opera is a huge orgy of buttons and things, and it takes me quite a while to clean it up. I'm the sort of user that likes less clutter.
6. What? I just tried it, it absolutely does NOT do that.
7. What the hell? The installer has this feature, and you can go to file->Import to import stuff using a "wizard".
8. Try middle-mouse-button click.
9. Not to bad on my machine, but they could probably use some optimisations here.
All in all, I suspect your are using Firefox 0.1 or something, not the latest (0.9).
These are certainly not real reasons to continue using IE. I mean, holy hell, IE?!?! It's the worst browser ever.
Re:Infected ferociously (Score:3, Informative)
I had similar problems removing a piece of shit known as CoolWebSearch from a friend's machine.
Re:Can anyone tell me how to develop for Mozilla t (Score:5, Informative)
Basically: create an XPCOM component in C++ (if JavaScript or Python are too slow for you) which performs the computation. Mark your XPCOM interface as scriptable, use the typelib compiler to expose it to javascript then pass in the browser DOM so it can be edited by your component. Then write an extension to catch "page loaded" and pass the DOM to the loaded XPCOM component. I think that should work.
Re:Importing Favorites. (Score:4, Informative)
It's not too obvious or intuitive. Go to Tools->Account Settings->[Your Account]->Composition and Addressing and de-select "Compose Messages in HTML Format" (This is for Thunderbird 0.7). I don't know why they put it here and not with the rest of the Compose options under Tools->Options. Oh, well.
Do NOT use Internet Explorer... (Score:3, Informative)
That's the advice I give to my friends after I saw this page:
http://web.archive.org/web/20030603192725/http://
(too bad that page now no longer host that information
There are more holes in IE than a piece of Swiss cheese, and Microsoft doesn't seem to be concerned if that will cause you to be accused of collecting child porn [wired.com].
Full details of securing a WIndows workstation can be read here [harrysufehmi.com]. HTH.
Re:The Google Toolbar & Such (Score:3, Informative)
I like Firefox but I have to disagree. I spend alot of time implementing technologies I've never worked with before so I spend alot of time scouring the web for information. I find the Opera broswer superior in this case. Here are the reason I prefer Opera.
The bad?
Other than that I love the broswer.
For those that have never tried it I would recommend trying it. The Windows version is more polished than any other version that I've seen, but I still my prefered broswer on Linux also.
Google provides a nice list of sites (Score:4, Informative)
Re:But How Many People Will Switch? (Score:3, Informative)
(I'm not knocking moz, I love it, just that there are some sites that don't work)
Re:Why alternative browsers may not be possible (Score:5, Informative)
Sounds like your IT director has done a horrible job and should be fired.
You would have been much better off implementing that stuff in a browser agnostic, standards compliant way, using Java for any heavy lifting required.
Re:Can anyone tell me how to develop for Mozilla t (Score:5, Informative)
Studying this source might be useful for your own project.
what is it missing? (Re:The Google Toolbar & S (Score:5, Informative)
I can't operate without the google toolbar, which has no complete mozilla equivalent.
Um, what exactly is the mozilla google toolbar (http://googlebar.mozdev.org/ [mozdev.org]) missing that you can't do without?
Remember, it doesn't need popup blocking (Mozilla does that itself).
Re:Wonder How Microsoft Will React (Score:3, Informative)
Until they tried to reach an "active X required" page...
Of course, it is generally advised to turn off activex for security reasons...Although there is a plugin to run activex in Mozilla ( http://www.iol.ie/~locka/mozilla/mozilla.htm [www.iol.ie]).
Re:Importing Favorites. (Score:2, Informative)
It's under "Composition and Addressing" on the account settings. You don't get asked whether you want it on or not when setting up the account, either - you have to go in after setting it up and tweak it there.
Bad Thunderbird. No biscuit!
Re:Wonder How Microsoft Will React (Score:3, Informative)
Luna [intraplanar.net] and Luna Blue [intraplanar.net].
The solution to every web problem in Windows (Score:5, Informative)
Base: An up to date host file [mvps.org]. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
Second: Proxomitron [proxomitron.info]. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters [computercops.biz] to get rid of any sort of ad that slips through.
Third: Firefox [mozilla.org]. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
Fourth: In-browser plugins such as Adblock [mozdev.org], which probably won't do much to stop this particular problem, but are nice to have around regardless.
Re:Infected ferociously (Score:2, Informative)
Majorgeeks [majorgeeks.com]. there are other mirrors aound, too.
Re:yes (Score:1, Informative)
Links is a text based browser which supports frames and tables
Re:Don't Forget Opera (Score:3, Informative)
Opera Donations Program [opera.com]
No Patches for CWS either... (Score:3, Informative)
Remember: All a user has to do is surf to one of these scumbag sites (by accident or on purpose) with their freshly, fully patched IE and... BOOM!
"Did you know that your computer may be infected with SPYWARE?!" - Actual quote from these scumbags.
To be fair, fix is not that complicated (Score:2, Informative)
"Important: Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk."
Re:Don't Forget Opera (Score:3, Informative)
2. There's a pay, ad-free version. This is what I and tens (hundreds?) of thousands of others have on their computers. Opera is the best browser out there, and there are a lot of people out there who believe that it's worth paying for quality (cf BMW, Mercedes, Rolex, Zippo, etc).
Re:Liability of sites that recommend IE? (Score:1, Informative)
Well, recently, our medical insurance provider updated their web-site and the site, which used to work fine with Netscape, now has features that will only work with IE.
Just yesterday, I sent them a nasty e-mail telling them to please remove the IE-specific stuff from their web-page because it was forcing us to use an obvious security risk. Then, today, this happens.
Can you hear me now?
Mozilla Backup! (Score:5, Informative)
Re:To be fair, fix is not that complicated (Score:2, Informative)
Re:Here's a few (Score:2, Informative)
In this post [slashdot.org] you say that the last one of yr links given above is infected. Now you give it as a regular link without any warning of infection ?
Linky: (Score:3, Informative)
Because
Re:Little things (Score:3, Informative)
In Firefox, not only does Ctrl + Enter add the 'www' and 'com', but Shift + Enter adds 'www' and 'net' and Ctrl + Shift + Enter adds 'www' and 'org'. You really should give it a try.
Re:yes (Score:3, Informative)
I didn't find any bugs in mozilla's bugzilla that referred to sportsline, so this problem most likely hasn't been reported yet. I was also unable to find the exact page you were referring too on cbs.sportsline.com. Otherwise, I would have submitted the bug.
Okay, just this once: (Score:5, Informative)
Open HKEY_CLASSES_ROOT\http\shell\open
Remove the "ddeexec" subkey (subfolder).
Go into the "command" subkey (subfolder).
Change the (Default) string to this value:
"C:\path\to\mozilla.exe" -nosplash -url "%1"
Make sure to use the full path to mozilla or firefox. Also, keep the quotes.
To test, go to the run menu and type in an http:// URL. It should pop up a new mozilla window to the webpage.
Do the same thing for HKEY_CLASSES_ROOT\https and HKEY_CLASSES_ROOT\ftp to get the HTTPS and FTP protocol handlers as well.
Mail (mailto: links) is a little trickier. Use this guide [toast.net] for assistance.
Re:Firefox (Score:4, Informative)
I would think so.
Here is the question to ask yourself. Does the program that stores your passwords require any input from you to retrieve them (such as a master password). If so, you may or may not be safe - depending on how the master password is implemented. If not, you are definitely NOT safe. The passwords may be encrypted, but the key is somewhere on the hard drive otherwise IE couldn't make use of them.
If there is a master password then it could be used to encrypt your password database, which would probably make it fairly safe if the crypto isn't broken. Then again, it could just be stored as a hash on the disk and the passwords could be stored in the clear.
Bottom line - if the computer doesn't need to ask you for a password to access data, then spyware potentially doesn't either. Sure, things like sandboxes can protect some data from malicious apps, but they generally aren't perfect. Strictly speaking, neither is a passphrase since it doesn't have all that much entropy.
If you really want to be secure, store your passwords encrypted using strong crypto, and store the key on a smartcard protected by a PIN. To defeat that requires the smartcard at the very least, and unless you can hack the hardware it requires the PIN as well. Most decent smartcards will delete their keys making them useless after so many failed PIN attempts.
If iButton support was a little more mature on linux I'd probably start using it. You should check out their Java ibuttons - sounds like a neat solution for these kinds of problems. And they're pretty cheap.
Re:yes (Score:3, Informative)
It's fixed, but who knows when the next build of your favorite Moz browser is coming out? The bug report says "Maybe 1.7.1" :)
Re:What about this? (Score:1, Informative)
http://www.microsoft.com/unix/ie/default.asp
Re:Wonder How Microsoft Will React (Score:3, Informative)
and then goes on with links to other browsers in the margin. Not very prominent, but it is a start.
I found this from mainstream Norwegian paper Dagbladet [dagbladet.no] that runs a story on the frontpage entitled "Warns against Internet Explorer".