IT administrators are being warned to double check their servers, and
Web surfers are being cautioned after a widespread hacker attack has
compromised major corporate Web sites and infected thousands of users’
”This is a complicated, sophisticated attack,” says Ken Dunham,
director of malicious code at iDefense, Inc., a security intelligence
company based in Reston, Va. ”This appears to be designed to ultimately
steal credit card and identity theft information, which can then be
sold… There could be hundreds of thousands of victims at this point.”
According to security researchers, an organized crime group out of
Russia has launched the attack, compromising Microsoft’s IIS Web
appended to the html page that is called up. That script then exploits
two vulnerabilities in Internet Explorer to install a backdoor into the
download and install an executable from a Russian Web site. Different
executables have been noted, but they include keystroke loggers, proxy
servers and other backdoors providing full access to the compromised
Dunham says the attack was coordinated by the HangUp Team, a hacker
group in Russia — the same group supposedly responsible for the Korgo
worm family. ”They’re making a lot of money of this,” says Dunham.
”And they have a serious backend market for peddling information.”
Johannes Ullrich of the Internet Storm Center, which monitors Internet
threats, reports that his organization has been contacted directly by
about 20 companies, so he estimates that 100 or more Web sites have been
infected with the hostile script.
While less than Dunham’s estimate, Ullrich suspects that thousands,
possibly 10 thousand, user machines have been infected.
Ullrich says the threat is waning as most of the infected Web sites
already have been cleaned up.
But it’s been an attack that had security researchers and some IT
administrators up all night beating back the flames and trying to figure
out exactly how the attack worked.
”This was very dangerous,” says Steve Sundermeier, a vice president at
Medina, Ohio-based Central Command, Inc. ”It’s alarming in that you
have large, legitimate corporations being used as a tool. As a user,
especially if you’re entering credit card information, you expect secure
Web sites. Their financial security could be breached. And for the
credibility of the corporation, this is a huge problem.”
Researchers would not release the names of the companies and Web sites
that were compromised for fear of compounding their problems. Ullrich,
however, says the compromised sites included industry associations,
banks, brokerages and travel-related sites.
The question now is how were the corporate servers infected?
Researchers are still investigating the attack and have been slightly
thrown by reports from corporate administrators who said their machines
had been fully patched.
Dunham reports that there is some speculation, even coming from the
Microsoft camp, that the breakins and server infections are related to
the MS04-11 vulnerability.
”With fully patched boxes being infected, it appears there may be
another component of the MS04-11 vulnerability,” says Dunham. ”There’s
a whole bunch of stuff in there and some of it is related to the IIS
servers… We don’t know how they are getting exploited. We’re talking
about highly secure environments.”
Ullrich, however, says it’s possible that the sites were compromised
some time ago before the servers were patched.
Microsoft recommends that users run a search for kk32.dll and
surf.dat. If either of the two files is present, the computer may
be infected. Computers can be cleaned by using up-to-date anti-virus