Corporate Servers Spreading IE Virus [Updated]

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

What really happens...

[ibjhb]

Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.

Security Advisories

[Lars+T.]

US-CERT and Internet Storm Center. Less talk, more information.

How to kill it

[SpinyManiac]

I think this is the one I caught at work.
No security restrictions in IE will stop it.

I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7xx .html
There's a reason that this one isn't a link. ;)

I killed mine like this (Windows 2000):

Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sys tem32\Automove.exe
C:\Winnt\System32\Trans.exe

And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\Curr entVersion\Run
[Adstartup] C:\Winnt\System32\Automove.exe

Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.

Can anyone tell me how to develop for Mozilla then

[kahei]

I really wish I could switch to Mozilla (ok, Firefox). My co-workers are switching to Firefox. My users are switching to firefox. But I can't, because I have no idea how to implement my pet project as a mozilla-type plugin.

All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??

PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.

Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.

I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.

What about this?

[GrumpyDeveloper]

There's apparently a newly discovered exploit in IE that can compromise an IE user's machine THROUGH AN IMAGE ON A WEB PAGE.

So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here.

Re:MSN Search is infected

[Divlje+Jagode]

If that post is related (msits.exe) then you have real shit going on when you get highjacked:

This popped up six windows which installed both the default-homepage-network hijacker and also some nasty stuff [...]

This crashed Windows Media Player and then it was overwritten with a small windows executable (I have it if you want it) - this was called wmplayer.exe and was in the Windows Media Player folder. The real Windows Media Player had been deleted. [...]

The next time a WMP media file was accessed the new wmplayer.exe file ran and installed lots of adware, junkware, spyware etc, etc. [...]

Now, I use K-meleon and privoxy for 99% of my browsing and only switch to IE when I can't do otherwise.

AVG free edition sygate personal firewall and Spybot seach and destroy (site down) will complete your collection nicely. Might want to have a look at Hijack this and this tutorial as well.

Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE gets ported to Linux, I'll swap ;-)

Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.

Re:Little things

Honestly, I've not really made the switch myself. The main reason is actually kind of petty, hotkeys. I've become very used to things like shift-clicking a link to bring up extra pages or hitting ctrl-enter after typing in a word to add the http://www. and .com to it. I've been working with IE for long enough that it's second nature to use those keys. Yes, I'm sure that other browsers have ways to do these things, but one gets used to not having to think browsing the web, so learning new keys feels like a fair burden.

I wont comment on your other problems with switching. But you could at least try these things with FireFox. As it turns out both of those hotkeys do exactly the same thing as IE under FireFox. Just tried it with 0.9.

Why alternative browsers may not be possible

[ManyLostPackets]

I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.

I'm not talking simple forms here, this for Foreign Exchange transactions.

Certificates, multiple passwords, encryption...all moot

Re:Wonder How Microsoft Will React

[cameleon]

Some responses:

1. This has been debated to death by Mozilla fans. Just give it some time, or download another theme.
2. Extensions will be included in 1.0, I think. But there's nothing really missing for someone switching from IE; most extensions are icing for power users.
3. I find Firefox settings very nice for a beginner/someone switching from IE. If you need to dig into about:config, you're not a stereotypical user.
4. Because they are not working right yet. Check bugzilla if you want to know the details.
5. This, I agree with. I'd remove all the buttons immediately, but for people coming from IE, it would be useful.
6. No idea, I have a keyword ('g') set up for google searching.
7. Here, you're just wrong. The installer asks on install if you want to import settings from IE, and I believe there's also a menu item to do it later.
8. That's because shift-click saves a page. Try ctrl-click.
9. I find it is instantanious on my 900 MHz Athlon, but this depends a lot on your computer. For me, it's the opposite: IE draws the window borders, then sits there for a few seconds before I can do anything with it. And Firefox still speeds up with each release.

In short, you don't sound like a typical user; you're more likely a power user, and as a power user, you're expected to dig for a few options. Otherwise, the options dialog would be too overwhelming.

Re:yes

http://www.mozilla.org

Two things:

1. Don't use an account that has elevated priviledges.
2. Don't install the latest security patches for I.E. 6.0.

The article mentions that the exploit takes advantage of the recently announced vulnerability in I.E. that an advertising company was exploiting. My testing of this vulnerability revealed that it would be unsuccessful if you didn't use a priviledged account. And oddly, at least with the previous exploit, the code wouldn't run until I installed the latest security updates. A generic install of Windows XP or one with SP1 didn't appear to work. Odd.

The solution to every web problem in Windows

[allio]

Layers of protection.

Base: An up to date host file. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
Second: Proxomitron. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters to get rid of any sort of ad that slips through.
Third: Firefox. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
Fourth: In-browser plugins such as Adblock, which probably won't do much to stop this particular problem, but are nice to have around regardless.