Microsoft acknowledged this week that Internet Information Server (IIS), a component of the Windows 2000 Server, and holes in the Internet Explorer web browser are being used in widespread attacks that are compromising web pages and using them as launching pads for malicious computer code.
Microsoft issued an alert late last Thursday and posted a web page with information on the attacks. The company urges customers to apply the latest security patches for both IIS and the Internet Explorer Web browser and increase the security settings on Internet Explorer browser. In an unusual move, Microsoft notes that users that are running its as-yet-unreleased Windows XP Service Pack 2 are protected.
The warnings from the company came as antivirus and computer security experts say that an organised gang of Russian hackers are behind the attacks and are using the security holes in a coordinated, global attack to steal sensitive personal and financial information from customers of leading banking and e-commerce websites.
Rumors of the attacks surfaced Thursday, after network administrators spotted malicious files on Windows 2000 machines running IIS 5.0. Computer security experts are still analysing the attacks, but have isolated files involved in the attack and how the malicious files are being spread from websites to customer machines, according to a message posted on The SANS Institute's Internet Storm Center.
The infected files have names such as Download_Ject_Symantec.doc, ipaddress.txt, issue.csv, ads.vbs, and agent.exe. They are placed in a Windows folder named "inetsrv." In addition, the configuration of IIS is changed, so that an option called "enable document footer," is turned on, according to the Internet Storm Center.
The Microsoft website encourages network administrators to apply a recent patch for IIS, MS04-011. Systems that did not have this patch may be vulnerable to the attacks, the company says. A previously unknown and unpatched (or "zero day") security vulnerability in IIS may also be to blame for the infections, says Ken Dunham, director of malicious code at iDefense.
The code redirects the user's web browser to a Russian website from which a Trojan horse program is unknowingly downloaded and installed on the user's system, according to Johannes Ullrich, chief technology officer at the Internet Storm Center.
That program contains a key-capture feature that can be used to steal password and credit card information from Web sessions, and forward those to the criminals behind the scam, experts say.
NetSec, which provides managed security services for large businesses and government agencies, says that an online auction Web site, search engine site, and a comparison shopping site all were known to have infected visitors' computers with the malicious code.
The exploits appear to be the work of an organised group of Russian hackers and are designed to harvest personal information that can be used for financial fraud, security experts say.
Security experts were still trying to determine Friday how IIS servers were compromised and whether applying the latest patches for IIS and Internet Explorer would protect users from the attacks.
"My gut feeling is [patching] doesn't protect you," Dunham says. "If I were a home user, I'd consider using another Web browser, like Mozilla, until a patch comes out," he says.