Corporate Servers Spreading IE Virus [Updated] 1028
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
MSN Search is infected (Score:0, Interesting)
You can download the trojan from here:
http://search.msn.com/msits.exe
What's it going to take to make people switch? (Score:5, Interesting)
With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!
Opera? Firefox? IE.....hell no (Score:5, Interesting)
Hmmm.... (Score:4, Interesting)
Re:What's it going to take to make people switch? (Score:2, Interesting)
I've been able to convince every one of my 18-year-old friends (who are mostly NOT technical people at all) to use Firefox. They all LOVE it. I think they switched partially because of all my complaining every time they started IE in front of me -- and partially because I sat down at their computer and downloaded the thing and installed it.
Re:MSN Search is infected (Score:2, Interesting)
Infected ferociously (Score:5, Interesting)
Undisclosed sites? (Score:4, Interesting)
This reeks of criminal negligence IMHO, they know of a crime, and they wont tell how or who will do it to you..
"/Dread"
not detected by AV software? (Score:5, Interesting)
Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.
Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?
Liability of sites that recommend IE? (Score:5, Interesting)
Any thoughts from the more legally minded amongst us?
Re:Don't Forget Opera (Score:1, Interesting)
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."
Is it an IE only exploit? (Score:5, Interesting)
My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.
Re:Wonder How Microsoft Will React (Score:5, Interesting)
A quick scan of that article and I couldn't see any mention of using an alternative browser, just the usual "update virus checker, etc"
We need these sites to push the idea of Mozilla to the masses
Another nail in Javascript's coffin (Score:4, Interesting)
It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.
Javascript menus and first pass form validation, anyone?
Re:Wonder How Microsoft Will React (Score:3, Interesting)
Not many. They will rather believe it is a kind of valuable new feature, and they will perceive the inability of being infected as another flaw in mozilla. You probably think I'm joking, but, sadly, I'm not. I was recently forced to work with two windows-minded webmasters and this is exactly the way their brains work. MSIE cannot by definition have any flaws. If MSIE is not standards-compliant, well, too bad for the standards. I'm not even sure such folks can comprehend the concept of technical standards. And they won't listen to an opinion coming from someone who uses linux and doesn't approve piracy. You don't steal software => you are irrational, perhaps insane => you can't be trusted. And the <input type crash> bug was not a bug, it was Microsoft's joke. And GIMP is simply unusable.
So, I say, those windows users who are not totally fucked up have already switched to mozilla. Others will never switch.
Do your part (Score:3, Interesting)
Re:Wonder How Microsoft Will React (Score:5, Interesting)
If you would be so kind, I am really curious what the reasons were.
What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla."
I have had no people complain or ask to have the "old" version back. In fact, the only thing I have heard is praise ("It's so fast", "I don't get pop-ups anymore", etc).
I've done this for about 60 users (45 computers), so far.
- Tony
Re:Wonder How Microsoft Will React (Score:3, Interesting)
If the scenario is as reported, and IE is currently unpatchable, then the conversation is likely to go like this:
IT Manager: An problem has been identified in IE, it leaves the organization open to virus infection, we need to change the browser we use to something else.
CEO: Haven't you got more important things to do, where's my mail merge. I'm not having you spending a week changing every machine.
IT Manager: OK, the deal is, here is a threat that can't currently be solved, it presents the possibility that many of our machines could slow down, crash or be otherwise infected. To be honest, the details aren't clear, but it appears to be very easy for the infection to spread.
Are you formally telling me that you don't want me to take any action? and that you are happy with the situation.
CEO: How much does a new browser cost?
IT Manager - it's free.
CEO: quit hanging about in my office and get those new browsers installed.
Re:Ask Microsoft (Score:2, Interesting)
I believe that this all goes back to... (Score:3, Interesting)
Re:Wonder How Microsoft Will React (Score:3, Interesting)
Every Mom and Pop I've given Mozilla or FireFox to has been ecstatic, right from the start. Nobody actually LIKES Internet Explorer. They either:
1) don't care
2) prefer Mozilla, or
3) are forced to use IE in a corporate environment.
Why does your family resist?
Re:MSN Search is infected (Score:3, Interesting)
There's what looks like a valid 6.5kB EXE there - might this be a copy? For forensic purposes only, mind.
Force their hand (Score:3, Interesting)
Another thought - if any bank or institution that you use is running IIS, write them and ask them to certify that they are not infected. Let them know that if they do not guarantee that their servers are not compromised by this exploit, you will be transferring your account to an institution which uses servers that don't have such an abysmal security record.
Re:What really happens... (Score:5, Interesting)
This isn't a new technique, I remember the web development agency I worked for a few years back being caught out by a similar effect. A co-worker took some work home with him, and his (unpatched, unfirewalled, broadband-connected) IIS installation was infected. When he synced up with us the next morning, he infected about two hundred websites, some of them were very high profile. Hundreds of thousands of users were exposed.
It was a stupid company, and I was always trying to get them to change policies that let things like this happen. When we started getting phonecalls from clients about this, the owner blamed stupid kids with too much time on their hands, and said we had absolutely nothing to do with it, couldn't be blamed, etc. All our clients fell for it, hook line and sinker. I think the owner had himself convinced by the end of the day (he was the type that refused to accept he was capable of screwing up).
It's a sad state of the industry that we were responsible for infecting thousands of people and we got away with it scot-free.
The Google Toolbar & Such (Score:4, Interesting)
Unplugging infected servers to avoid virus (Score:2, Interesting)
I wonder if they would agree to do the same with those infected servers, spreading IE virus.
Not to mention that most of those servers shall be Windows NT and 2000
Re:Wonder How Microsoft Will React (Score:3, Interesting)
Re:Wonder How Microsoft Will React (Score:5, Interesting)
I'm a long time IE (then myIE2) user and have just moved to Firefox. Some of the things as a long term IE user I dont like is:
Nothing I've asked for is particulary difficult, it just makes migrating less painful.
But yes, Firefox is very good. Got a few rough edges in the userbility department, but very good.
Re:What really happens... (Score:1, Interesting)
It looks like this:
var cm_HOST="test";
var cmD=document;
function cmSetProduction(){cm_HOST="data";}
function getDefPgID(t) {
if (!t){t ="";}
var cmT = cmD.title;
if (cmT.indexOf("Bank of America |") == 0) {cmT = cmT.substr(17);}
cmT = cmT + " (" + t + ")";
return(cmT);}
function cmAdStr(){
var linkCt = cmD.links.length;
var lurl,i,ndx,ad;
var adSt = "";
for (i = 0; i ? linkCt; i++) {
lurl = cmD.links[i].href;
ndx = lurl.lastIndexOf("adlink=");
ndx2 = lurl.lastIndexOf("/adtrack/");
And on and on for three pages.
So if every major website already puts javascript at the bottom of every page, how is my mom supposed to read the code and see whether its real javacript from my bank or from a hacker?
Re:Wonder How Microsoft Will React (Score:4, Interesting)
In this article, it says (towards the bottom)
"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."
What I found somewhat funny was this quote (from NetSec's chief technology officer)
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now"
Does that mean he forsees a time in the near future when this kind of problem will go away? I don't.
Re:Wonder How Microsoft Will React (Score:3, Interesting)
Seems odd, doesn't it? Mozilla is one of the only standards-compliant browsers around.
Re: "Experts" (Score:3, Interesting)
2. His wife might use IE, and since HE'S AT WORK, he can't go home to switch it for her.
3. He probably doesn't have time to walk her through it, because she's clueless.
4. He probably knows his bank is running on Apache and is therefore immune to this attack.
Mozilla switch starting? (Score:4, Interesting)
Jan: IE 73%, Mozilla 12%
Feb: IE 76%, Mozilla 15%
Mar: IE 75%, Mozilla 16%
Apr: IE 75%, Mozilla 16%
May: IE 71%, Mozilla 19%
Jun: IE 71%, Mozilla 20%
And for some historical reference, in July of 2003 I saw: IE 78%, Mozilla 11%.
Re:Wonder How Microsoft Will React (Score:2, Interesting)
Re:Wonder How Microsoft Will React (Score:4, Interesting)
> product over another? What possible interest could they have?
Rhetorical questions, both. Historically, the media frequently takes positions on all sorts of things. Your questions imply that they don't.
While I share you enthusiasm for a grassroots process of replacing bad software with good software, historically, the evidence that suggests that this might actually happen is pretty poor.
Almost every non-technical person that I've met doesn't care about any of this stuff. In fact, if they did not suffer from viruses and pop-ups and spam and trojans, they would worry that something is actually wrong with their computer.
--Richard
Re:Another nail in Javascript's coffin (Score:4, Interesting)
I've worked in an environment before (a corporate centre for a major UK bank) where javascript was stripped from downloaded web pages at the firewall.
Re:Firefox (Score:4, Interesting)
Re:Wonder How Microsoft Will React (Score:2, Interesting)
I use google like an abused personal assistant: "Jenkins! get me foobar corp! If foobar.com doesn't exist then just get me the google search results on foobar, whatever, I don't have time to think about how to get it, just get it!"
The address bar is about going places and integrating it with search is such a stunningly obvious thing to do that I find it amazing that Foxfire has a different default behavior. The fact that I can't just go to options->Addressbarsearch> and change this nonsense is evidence some user testing would have been in order.
Instead, in typical "menus are for cretins, the 31337, use configs and command lines", I have to hunt down the instructions for changing this behavior, then edit the user.js file on every machine I use.
None of which is to say it is a bad browser, it just has a number of annoyances.
Re:Importing Favorites. (Score:4, Interesting)
no ability to use the IE method of storing bookmarks and retain compatibility with other parts of the OS that show my bookmarks. Hell, if you want people to migrate, make it easy for their bookmarks!
--
I think this is the big issue here, IE is tied to the OS in many ways and bookmarks are one of them. Its not as easy as simply importing. The replacement browser should provide the neccassary hooks so that the OS can get at the bookmark list and use it as neccassary.
Mozilla/Firefox issues (Score:4, Interesting)
True this particular exploit didn't affect Mozilla/Firefox, but it is certainly possible that something similar might in the future.
So, with that in mind, what new security features would help make Mozilla/Firefox even safer and better?
These come to my mind:
If Mozilla/Firefox is clearly a better, more secure solution, it will gain marketshare rapidly.
Re:Wonder How Microsoft Will React (Score:3, Interesting)
Also realize that it is possible that someone that hated CNN could easily create one of these viruses to redirect cnn.com to a competitor or to the localhost.
Urging customers to use products that keep them a customer is good business. Much like bars generally won't serve someone that is so drunk they can't stand up and sometimes (I have seen it) call a cab for someone they knew couldn't drive.
Re:Can anyone tell me how to develop for Mozilla t (Score:3, Interesting)
Re:Wonder How Microsoft Will React (Score:2, Interesting)
Don't know about Opera, but they seem to care more than MS does about fixing things.
Re:Why alternative browsers may not be possible (Score:1, Interesting)
This is a good strategy, and one that I insist we use here at work, but the push-back from *everybody* is unbelievable.
* The MS Weenies insist on doing everything as Webforms (with some pretty strong IE dependancies) because its easy
* The open source guys insist that every web page should be done in PHP (which I prohibit)
* Everybody (except the Java guys) are upset that I insist that we use best practices like written requirements, use cases, and other software tools to ensure we have a verifiable, understandable set of applications.
Its like a jungle. Strangely enough, those "heavyweight, bloated Java servlets" seem to run without problems. Its those easy Webforms and
I've come to the conclusion that *nobody gives a shit any more*. If it crashes, if somebody's credit card is stolen, if info is lost, people shrug and give an "oh well!".
Its really depressing.
Re:Microsoft's Response (Score:2, Interesting)
In any event, the problem often resulted from a customization I had made to Windows. In particular, if I had moved some system files to a new location (e.g. dllcache). Normally, this isn't a problem -- you just make some registry changes to point to the new location, copy the files, etc. But I've come to find that some hotfixes (which, as Microsoft states, often have not been through a full regression test) are hard-coded to things like the C: drive. So, they blindly look in C:\Windows\System32 for the updates files, don't find them, and indicate an update is required.
Now, more oddly still, often the patch updates in the correct location -- i.e. where the registry says the files should be.
So, you return to Windows Updates, and the C:\Windows\System32 files are still out-of-date (because the update was applied to the correct files), and you are told you need to apply the patch.
Rinse. Repeat.
Now, if this is your problem, there is a good chance that you are patched. But, who knows? It sure doesn't give you a warm fuzzy feeling to be told to apply the patch over-and-over again.
Whenever Windows Update applies a patch, it does generate a log file. You can try to scan the log file to see what it's doing and look for errors. That's how I determined the cause of my problem. My solution was to copy the patched files into the hard-coded directory, even though I never run those copies. A symlink would probably be a better choice...
(If you've never edited your registry to move files, maybe you've used something like TweakUI? Can cause the same problem, for the same reasons.)
Re:Wonder How Microsoft Will React (Score:2, Interesting)
And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?
1. News media frequently do things "for the public good"-- insofar as switching browsers is the best protection, they might recommend doing so just to be helpful. 2. The media are alreay, even in the CNN article, pushing one product over another-- they suggest updating virus definitions and stuff, which sounds a lot like a product endorsement for virus protection software to me. 3. Their own company might benefit from a more insightful analysis of the issue, considering that CNN has a web server and is probably staffed by lots of web surfers. If they recommend updating virus definitions, yet their server manages to infect me, because I followed their advice and it was insufficient, can I hold them liable? Also, if their employees are affected because they followed an insufficient plan, could it hurt their bottom line?
By the way, my job is not supplying applications support to Microsoft's customers-- no matter how much I care about those customers personally.
I can think of one way to boost security (Score:2, Interesting)
That and just a complete rethink of OS and browsers and "the internet". For another example for another problem, I'd like to see a totally non-commercial email system, no commercial email used in it whatsoever, and your email addy was treated as importantly as your physical address at your home, or like your telco number. You'd have an option, email like it is now, or be inside a commercial free and registered email system that cost folding money per year per email addy and refused any email into it from outside, or any emailto leave the system. A large but closed system where every email addy was tied to a real human being with a real name with a real IP for verification. You could still try to use the wild wild west anarchy chaos email system we have now, but also opt in to the closed, verified and much more secure and hassle free email system.
Same thing with the net, anarchy and chaos with hacks, attacks and bogusness, or only visit sites that are verified and secure and conformed to some decent standards that have those issues as of paramount importance, as opposed to blinkenlights eye candy insecure.
I tell you, I just detest that I even have to run javascript to view some pages, I usually skip them. I'm not running an active x machine, but I feel the same way about that too, it's useful, but so easily used for bogusness that it's rapidly lost any universal advantage, IMO.
As to moz and firefox, I don'tknow on firefox but I don't see a way to disallow small invisible webbugs on moz. That would help. Maybe it's there and I just don't see it though,could just be me I admit, all I see is deny by domain. I want deny for a variety of reasons, size and visibility being a big one. Or conversely, just the ability to chose a single image to view, select it, the page doesn't jump away to refresh the whole deal just that particular image loads. And no downloading images in general but failing to display, I mean it can see an object and only allow it to be downloaded on a case by case basis if you choose that option. Nowadays when you click on an URL you have no idea what you will be downloading unless you view source in advance, which is nuts.
Re:yes (Score:5, Interesting)
Re:MSN Search is infected (Score:3, Interesting)
Re:Another nail in Javascript's coffin (Score:3, Interesting)
Re:Why alternative browsers may not be possible (Score:2, Interesting)
For internal apps, this model makes alot of sense. The organazation has control of the computers and can insure consistent configuration, training, and security. The users can be monitored and likewise the users can trust the content. Therefore there is no issue with the server taking control of the client machine.
The problem is that web designers tend to assume that everyone on the internet should trust them, and everyone who uses IE tends to believe they can trust all web designers. Generic web pages are designed using features, and often frivoulous features at that, that require the server to control the host computer is scary ways.
I think MS realizes the problem and used security zones to try to provide a method by which IE can switch between a web browser and application front end. The problem is that like many failed security measures, it became too incovinent. Almost all internet sites should be marked as untrusted as placed in the lowest zone, but because so many sites are written badly, user tend to be forced to trust them or not get anything done.
A good example of this is the local school district, which standardized on IE and uses IE features extensively. Within the schools there is little problems. The district does a good job at protecting and training internal users. The problem is that the internet pages, including the home page, only works well on IE. In this way the district is forcing students and parents to use a browser that is verifiable unsafe. Internally they have a need to use IE. Externally, there is little reason for them to ignore standard best practice.
Okay (Score:3, Interesting)
LISTEN UP Mozilla/Firefox/Opera people. Get your marketing divisions off their asses. You will most likely NEVER EVER get another chance like this. If you don't do something now, before MS responds, you deserve to to stay marginalised to the end of time.
Re:Funny... (Score:2, Interesting)
Maybe it should be Microsoft please write patches for known exploits in less than two months. Since these IE exploits have been out since April and the IIS problem is now a known unknown exploit.
Re:They won't list the sites (Score:3, Interesting)
Unlike companies, private individuals have better protection in the many states that have anti-SLAPP laws. These laws allow a judge to summarily dismiss SLAPPs (strategic lawsuits against public participation, i.e. intimidation by litigation) and award legal costs to the defendant.
Re:yes (Score:3, Interesting)
NetSec's Houlahan advocated drastic action. "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Idiot. NetSec credibility is now equal to zero. OF all the peole who should have removed all shortcuts to IE, it's a techie. And what's to stop your bank from running the unpatched IIS 5? What about your homepage? IIS 5? Could be. Alt-browser time.
Re:yes (Score:3, Interesting)
When you call BofA, you get "hours" of prerecorder/touch tone crap. I have just about given up on BofA.
I gave up on B of A when they decided to become Bank of India but forgot to change their name. My local community bank has great customer service and gives back to the community by employing residents. That's where my business and money goes now.