Slashdot Mirror
Corporate Servers Spreading IE Virus [Updated]
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
You heard the man.
Go get Firefox Firefox now!
And I also wonder how many people will actually heed the call and switch their browser.
However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.
They don't mention that much names.
I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.
Trolling using another account since 2005.
The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.
But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.
...that enough people buy spam goods to pay for organized crime.
This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.
"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."
The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.
"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.
WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?
creation science book
Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.
He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.
Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.
And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.
I'm in the hole of the broadband donut.
Replying to my own post: :)
:)
If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.
I know the analogy isn't all that great, but it's the best I can do right now.
creation science book
I don't buy it.
If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
The whole thing stinks of FUD tactics, and the last line in the article seals it for me: Puleeeeeze
--
Why, who's that informing? This is slashdot you don't think anyone has heard of mozilla? Now that's funny!
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
In the future, people will just "firewall" off offending countries until they start policing and clean up their act. Sort of like UN sanctions but online :)
;P
Besides... AKs aren't allowed over here
Avoid them? Hell, I'd start by blocking them on my web proxy immediately until I get the all clear. We've got thousands of desktop users running IE. This could get nasty.
...that my mother has been running Gentoo on her desktop machine for three weeks now.
Just yet another "security" problem than I won't have to care about. Ahhhh.
The MSN search engine is infected.
You can download the trojan from here:
http://search.msn.com/msits.exe
There is no file there
Maybe someone at MSN Search reads slashdot?
Hello? If you're reading this Mr MSN Search, you might like to check out this cool site.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
menu's and form validation are what javascript should be used for... but instead it's a fully blown programming language...
groklaw, wired and slashdot. The holy trinity of work based time wasting.
First off, I note that this uses vulnerabilities in two of my most favorite pieces of software; IIS and IE. Two of the most security-hole laden software that Microsoft has ever released. Is anyone here really surprised?
Secondly, this puts the lie to the most common Microsoft trolls here every time a new virus/trojan outbreak occurs:
1. Viruses are spread by clueless lusers that click on e-mail attachments. No luser inteeraction seems to be needed here, just browse on by your favorite corporate web-site!
2. If everyone kept their systems patched, there would be no way that viruses like this could spread. Microsoft has known about the IE vulnerabilties used in this case for months now and still hasn't released a patch! To be fair, the article also says that Researchers believe that attackers [may] seed the Web sites with malicious code by breaking into unsecured servers, so an IIS vulnerability that has previously been patched might be part of the problem here, but that still leaves no excuse for the unpatched IE vulnerabilty!
3. Virus writers always use disclosed patch descriptions to determine how to write new viruses; none of them are capable of finding and exploiting vulnerabilties on their own. Note that the article says this may be spread by using a previously unknown vulnerability in Microsoft's Web software, Internet Information Server (IIS).
4. Up-to-date anti-virus software is sufficient to stop these exploits. The article says: the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software.
Nothing else needs to be said.
sPh
Ok, the article states: To prevent further abuse, the list is not published. The exploit is server side, not client side according to reports. Admins of the servers must have been warned and hopefully have cleaned the server already by now. So the public at large is not under threat from their high-profile site. Then not publishing the list is logical under the following reasoning.
What if it is a Zero day exploit on IIS. There is no fix yet. Admins are struggling to clean the servers, but have no clue if what they did to prevent whatever is going on, actually works. Criminals all over the world will be searching for clues on what the exploit is and will want to actively exploit it as well. We don't know what is going on, so it might be possible to put a nice little rootkit undetectible on the server and later use it for interesting purposes. By not naming the sites they are putting an extra, albeit thin, layer of protection around the sites. The list of websites for criminals to target, will be much longer than it could have been if each and every site that was affected would be named on the internet. Most sites are (hopefully) clean right now, so the public is not at risk, but until we know what goes on, the server sure is.
Use Adsense for Charity
The particular exploit discussed here is clearly viral/trojan in nature and a prime candidate for Norton, but there's a good reason why Symantec in particular stays FAR away from spyware detection and deactivation -- the threat of lawsuits.
There's one thing that distinguishes most spyware from what historically would have been classified as viri or trojans... EULAs. Often, the EULAs are cloaked in various ways and trick the user into agreeing to them, or play various tricks with the online equivalent of "shrinkwrap agreements", but one way or another, they're there. Would any sane jury ever actually uphold a EULA promising to deliver targeted advertising in return for the "service" of notifying the contacts in one's address book of free porn, particularly if it were buried in the middle of a EULA the length of __War_and_Peace__? Probably not. But that doesn't mean companies behind it wouldn't go after Symantec anyway and force them to bear the expense of defending themselves against hundreds and hundreds of lawsuits filed against them in every jurisdiction of the world.
Of course, lawsuits against them for helping users to breach EULAs is just one possibility. In common-law countries, actions for libel are another possibility. God only knows what they could be sued for in a civil-law country.
It's the same reason why DELL's tech support refuses (or at least did as of a few months ago... not sure of their current policy) to assist with spyware removal.
Remember, most companies that financially support spyware are on the shady side anyway. For companies like them (can we say, "Sco?"), selling goods and providing services are just ONE element of their money-making plans. They view things like, say, suing their own victims, as a perfectly legitimate strategy.
Yep you don't necessarily need to hack web servers, you can just run your exploit off a banner ad for wide, varied exposure. Pay for it with a stolen credit card. Online ad pushing companies obviously aren't sticklers for ethical ad content, just look at all the dialog-box mimicking ad designs and scams advertised.
You got it. Feel free to distribute this email widely. Use it as much as you want. You dont even have to give me credit.
r el eases/0.9/FirefoxSetup-0.9.exe
m ir rors - for spybot. VERY high traffic here, so be warned.a re/ for adaware.
p
:)
--
Okay, here we go.
First, you need to download a decent web browser. The #1 cause of all that spyware is Internet Explorer allowing websites to automatically install things. (its from all that porn browsing you do.)
Try firefox. Its only 5 megs to download, and its the most simplistic web browser available. You will get no popups. Its very popular, even among non-computer-obsessed folk. My mom uses it.
http://ftp.mozilla.org/pub/mozilla.org/firefox/
Now, I assume you are getting wacky popups and stuff, even when not webbrowsing.
You need to install some spyware killers.
I reccomend Spybot and adaware. These two are will rip through your pc, killing spyware dead. Blam. It may kill some software you like, but its for the better. There will be something out there that can replace anything you have to get rid of. Oh no, no more gator cursors. Whatever. Deal with it, or dont get online ever again.
http://www.safer-networking.org/index.php?page=
http://www.lavasoftusa.com/software/adaw
If those sites arnt working, you can always try "spybot download" and "adaware download" in google.
Then, on top of THOSE. (I know, I know) You need to run a virus scan proggy. Try AVG, its free and better then McAffe
http://www.grisoft.com/us/us_dwnl_free.ph
and last, but almost definitely not least, Windows Update.
Open up IE (you have to use IE for this) and go to www.windowsupdate.com Have MS scan your computer and install all the security stuff. Then reboot. This may take a long, long time, but it is the most crucial step.
comprehensive enough?
--
no
Javascript is only a security risk if it is implemented badly. And like it or not, Javascript (or similar) is here to stay, there's so much you can do with it that can't be done another way.
http://blog.nexusuk.org
They wont mention the names of the sites in the article to prevent further abuse of the exploit or some such, but what are we to do to avoid the exploit if we don't know which sites are infected already?
What good is publicly acknowledging that there are some major sites that are infected if they wont tell us which? Are they worried about the large sites' reputations? What about all the users that are going to be infected because they weren't made aware of which sites to avoid with IE?
I'm on a company system and don't have priveleges to install Firefox, and I doubt I'm the only one.
..will use this as an excuse to mandate control over the Internet.
Dont encourage them.
Step 1: Set Your Browser Security to High
Yes, this will break a lot of web sites.
Step 2: Add Safe Web Sites to Trusted Sites
We know that even popular high-profile web sites are at risk so we cannot add any sites to the trusted zone.
Step 3: Read E-Mail Messages in Plain Text
Marvellous.
Step 4: Block Pop-Up Windows in Your Browser
Add third party product to correct IE flaws.
This is the Internet Experience as supplied by Microsoft: web pages with all fancy features turned off and plain text email. Might as well run mutt and lynx on a Unix based OS.
this is just generic, I don't know your familuy situation exactly, but for what it's worth,the advice is to stop fixing their computers and let them drag the boxes to the shop and pay for it to be cleaned. I'd say in a business situation the same thing if that apploies to anyone else. The concept is stolen from the way the experts advise to deal with a family member who is an addict to booze or drugs, called "tough love". Right now you are acting like an "enabler" by fixing it when it gets hosed, leaving them with the impression that "it's not that bad", when it really IS that bad, they can't see or admit to the elephant in the living room, so just stop being an enabler.
So they quick bought spyglass, renamed it I.E., knitted it into Windows 98. To get around "bundling" provisions in Anti-Trust law they wrote the browser into the OS as the file manager. This "functionality" is the infection vector used by most viruses. Since you use it to browse your files, as well as the Internet, the software requires far more privileged access to the OS than any Internet-Only browser would require.
File this under Evil and Rude.
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
I have no idea why www.mozilla.org is "4, Funny" but www.opera.com is "5, Informative".
do not read this line twice.
IE works.
Well, the fact that you can become infected with a trojan simply by VISITING a web site, with no user interaction at all required, tells me than NO, IE does NOT work.
But that's just a reflection of my personal criteria for whether or not something works.
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Uh, use a different browser...remind me to never buy anything NetSec says (whoever they are)or sells henceforth.
Yeah. Except that advice just doesn't help here, because it seems that a security-zone busting exploit is being used, which probably won't be stopped by it. To really prevent it, you'd need to set your Local Computer zone to high safety.
It may not be informing anybody here, but it is a good article for those of us trying to initiate changes in internet policy. We can show it to our management as a reason to say "See! This is why we need that proxy server!" or "This is why we should switch to Opera!" or any other change.
I for one... appreciate the ammunition. (Bet you thought I was going to welcome our new browser overlords, didn't you?)
If Murphy's Law can go wrong, it will.
Its free if you have google ads enabled, which take up less space than the status bar and contain no images (just text ads). Otherwise it's still very cheap considering how good it is.
Rant at other people complaining about it not being free:
Just because IE is free and open source doesn't have a choice doesn't mean that something you have to pay for is not worth paying for. If this held true why would anyone use any peice of software that had a free alternative? I'm not saying that Mozilla or Firefox aren't good, but I am saying Opera offers something for a price that some people will be willing to pay (or live with the non intrusive text ads).
I spent ages trying to think of sig, but never did
What would be nice is to whip up a quick, standardized text that we could email to every webmaster we find the "best viewed with IE" tag on.
Something like:
Dear Webmaster:
While visiting your site, I noticed that it expresses a preference or requirement to view the site using Internet Explorer. I would like to suggest that you make the web page standardized so that any standards-compliant browser can view its complete content.
The World Wide Web Consortium (www.w3c.org) provides specifications and guidelines for web standards. Most mainstream web development tools, with the exception of Microsoft's FrontPage (which uses proprietary code which might only work in its own product, Internet Explorer), are designed to be in compliance with these specifications.
Internet Explorer has been proven time and again to be an insecure product, and is a large cause of malware and other security problems on clients' machines. While specialized code developed to work exclusively in Internet Explorer might be convenient, it may be harmful to the users who view your site.
Please consider using another tool or adjust your web design practices so that the resulting pages may be viewed with any standards-compliant web browser.
long time ago I used to help people fix their cars for free when I had some spare time. One lady I did a complete 4 wheel brake job for. Couple weeks later she comes back to me mad as a wet hen because her engine didn't run well, it had developed a carb problem and it was "all my fault because it ran fine before I worked on it". It didn't matter to her that the brakes got zero to do with it, it was still my fault to her way of thinking.
I do NOT fix peoples cars now, or even offer advice beyond telling them (anyone, this is true facts now) to just buy older cars without ridiculous computer crap on them and just replace the engine or transmission or whatever when it gets completely worn out. Much cheaper and better for them and less hassle for me.
Generally speaking, one should always ask nicely. But I think you're overdoing it here. These sites are exposing their customers to risk. Under the circumstances I think one is justified in being a little more direct. Perhaps replace this by:
As a user of your web site, I object most strongly to your faulty web-site design, which compels your users to expose themselves to security problems.
It's this ease of use that has made Windows the most popular operating system on the planet...
Igor Presnyakov stole my hat
>>"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.
That's great an all, but what about protecting the users, which can mount to millions of IE users being infected, because they aren't willing to say..."This week don't visit: eBay, Bank of America, etc., etc."
I'd say its more important to protect the uninformed masses of millions of IE users that they need to not visit 25-50 websites for a week, or switch web browsers, then it is to protect those 25-50 websites.
Monopolies, since they have no competition, drag their feet. They chug along at their own pace. But when they start having serious problems with their products, it's already too late. They have a cumbersome task of fixing them. The end result is customers seeking an alternative. Monopolies literally create their own competition due to negligence and lack of motivation. This holds true for Microsoft.
Oh, and by the way, I just tried cbs.sportsline.com and had _zero_ problems with firebird 0.9 under Linux and MS Windows.
Now go back to your popups, spyware, adware and expliots in IE.
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
NFS mount the user's home directory on a server with hardware RAID, hot-swappable drives, and regular backups and you won't have to worry about moving the profile or anything else.
/home is mounted on whatever workstation they happen to be using. It's pretty cool. Pretty close to zero need to carry a notebook around at Sun, I bet.
Seriously, that's the best way to keep all the data safe and backed-up. Indeed, if you can afford a GigE LAN (not all that expensive anymore, but if not, a Fast Ethernet LAN will do well enough), you can run thin clients and run everything off the server, like they do in Largo, Florida. If you're not an all-*nix shop, that must be possible with Windows, too.
While some people might squawk a bit, in truth, most users do not need a full-fledged PC on their desk as work. All the apps they need (or that you want them to have, at least) should be provided by and controlled by the IT department. It's the only way to keep your network safe. Developers might need a full-blown PC, but stick them off on a LAN segment firewalled off from the rest of the PCs, because just being a programmer doesn't mean you won't soon have your machine burdened with 400 pounds of malware and sporting all the latest viruses, too. I think we've all seen programmers who can write code but don't actually know squat about computers or how to keep them secure.
So hand a thin client to everyone you can. They'll get used to it, and you'll save a bunch of money.
You can build one, or if you want to see a nice turn-key system, take a look at a Sun Ray. Sun employees have a card that they stick in the reader on the Sun Ray (and a userid and password I would suppose, or the person with your card 0wnz0rs joo) and their