Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!


Sophisticated Web attack could steal financial information

Save your company's valuable data with Proxy Sentinel™ from Internet Security. Click here for all the details.

June 25, 2004

IT administrators and department managers are being warned to double check their servers, and Web surfers are being cautioned after a widespread hacker attack has compromised major corporate Web sites, and infected thousands if not hundreds of thousands of users' computers.

''This is a complicated, sophisticated attack,'' says Ken Dunham, director of malicious code at iDefense, Inc., a security intelligence company based in Reston, Va.

''This appears to be designed to ultimately steal credit card and identity theft information, which can then be sold... There could be hundreds of thousands of victims at this point.''

According to security researchers, an organized crime group out of Russia has launched the attack, compromising Microsoft's IIS Web Servers. When a Web surfer goes to that infected Web site, javascript is appended to the html page that is called up. That script then exploits two vulnerabilities in Internet Explorer to install a backdoor into the user's computer.

Once this is done, the javascript instructs the user's browser to download and install an executable from a Russian Web site. Different executables have been noted, but they include keystroke loggers, proxy servers and other backdoors providing full access to the compromised system.

Dunham says the attack was coordinated by the HangUp Team, a hacker group in Russia -- the same group supposedly responsible for the Korgo worm family. ''They're making a lot of money of this,'' says Dunham. ''And they have a serious backend market for peddling information.''

Johannes Ullrich of the Internet Storm Center, which monitors Internet threats, reports that his organization has been contacted directly by about 20 companies, so he estimates that 100 or more Web sites have been infected with the hostile script.

While less than Dunham's estimate, Ullrich suspects that thousands, possibly 10 thousand, user machines have been infected.

Ullrich says the threat is waning as most of the infected Web sites already have been cleaned up.

But it's been an attack that had security researchers and some IT administrators up all night beating back the flames and trying to figure out exactly how the attack worked.

''This was very dangerous,'' says Steve Sundermeier, a vice president at Medina, Ohio-based Central Command, Inc. ''It's alarming in that you have large, legitimate corporations being used as a tool. As a user, especially if you're entering credit card information, you expect secure Web sites. Their financial security could be breached. And for the credibility of the corporation, this is a huge problem.''

Researchers would not release the names of the companies and Web sites that were compromised for fear of compounding their problems. Ullrich, however, says the compromised sites included industry associations, banks, brokerages and travel-related sites.

The question now is how were the corporate servers infected? Researchers are still investigating the attack and have been slightly thrown by reports from corporate administrators who said their machines had been fully patched.

Dunham reports that there is some speculation, even coming from the Microsoft camp, that the breakins and server infections are related to the MS04-11 vulnerability.

''With fully patched boxes being infected, it appears there may be another component of the MS04-11 vulnerability,'' says Dunham. ''There's a whole bunch of stuff in there and some of it is related to the IIS servers... We don't know how they are getting exploited. We're talking about highly secure environments.''

Ullrich, however, says it's possible that the sites were compromised some time ago before the servers were patched.

Microsoft recommends that users run a search for kk32.dll and surf.dat. If either of the two files is present, the computer may be infected. Computers can be cleaned by using up-to-date anti-virus software.

Source: Datamation / EarthWeb


Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.


Back to the top of the page.         

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.

Click here to order your Proxy Sentinel™ Internet security server today!

Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca 2003    Terms of use    Privacy agreement    Legal disclaimer