Slashdot Mirror


Corporate Servers Spreading IE Virus [Updated]

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

27 of 1,028 comments (clear)

  1. Wonder How Microsoft Will React by RDosage · · Score: 5, Insightful

    And I also wonder how many people will actually heed the call and switch their browser.

    However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.

    1. Re:Wonder How Microsoft Will React by NeoThermic · · Score: 5, Insightful

      >> And I also wonder how many people will actually heed the call and switch their browser.

      Very very few. I've got firefox installed on my family computer. Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

      However, while Mircosoft are normally very good at patching these secuirty faults, this time they have totally failed. The blame doesn't rest with stubborn users who refuse to switch. The blame rests with Microsoft's inability to provide a patch in time.

      Once they do supply a patch, it will then turn into the case of a supid user who doesn't patch. (and my server's apache logs show this, I'm still getting attacked by Code Red from infected servers who have not been patched).

      Hopefully Microsoft will adapt to the pressure created by the users not being happy with the situation and release a patch.

      Then again, looking at the age of IE and the number of requests to make a better version added to the time its taken them to respond, I'm stating a pool for those who want to bid on the release date of the patch. All dates start from 2005 onwards...

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    2. Re:Wonder How Microsoft Will React by h00pla · · Score: 4, Insightful
      Microsoft will always react by protecting their interests. If it's in their best interests to fix it quickly, they will. It it isn't, they won't.

      Who I am beginning to hope will start to react to this kind of thing is our governments. As we depend on the WWW/Internet for so much of our daily lives, I think it's time for a summit to be called about improving the state of "Information Superhighway". This particular highway is beginning to look like one of these roads you hear about in Afghanistan where you can't get from point A to B without something nasty happening.

      What we need is a solution to the monoculture of Microsoft and not just another fine (like what recently happened with he EU) that MS will just write off in their next quarterly statement. We need them to skip the fines and simply say: Fix your crappy software or we will shut you down. It will never happen, of course.

      --
      I've been swashdotted -- Elmer Fudd
    3. Re:Wonder How Microsoft Will React by NeoThermic · · Score: 4, Insightful

      >>Why not?

      Its fairly simple where the blame lies here. With Microsoft. No matter how you view it, by not providing a patch, they are the ones to blame. If there was a patch avalible, then yes, blame the users.

      If its still hard to see, consider this.
      Say a car had a problem by which it would be easy to break into even when locked, without any signs of breakin. You would *expect* the manafacture of the car to recall all the cars and fix them. If they didn't then the blame (and possible lawsuits) lie with the manafacture.

      Its the same with this instance. You would *expect* Microsoft to release a patch ASAP. They haven't and thus the blame lies with them.

      NeoThermic

      --
      Use my link above, or to view my server, NeoThermic.com
    4. Re:Wonder How Microsoft Will React by ninewands · · Score: 4, Insightful
      Quoth the poster:
      We need these sites to push the idea of Mozilla to the masses

      And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

      What is needed is for people (Slashdotters???) who provide "level one" tech support to family and friends to do what I did on my fiancee's computer about three weeks ago.

      Her installed IE would crash while launching and ask if she wanted to send an error report to MS. I ran ad-aware on her box and found about a dozen "browser hijacks" in amongst all the malware cookies, etc. I removed them, removed all the "Shortcuts to IE and Outlook Express from her desktop, installed Firefox and Thunderbird (along with the AdBlock and Things They Left Out extensions and a theme she liked), then made sure they were set as the default browser and mail program. Next I imported her Inbox from Outlook Express into T-bird. Finally, I turned on pop-up blocking and showed her how to use AdBlock to block ad servers.

      She's been happy as a clam ever since. To quote, "Getting on the 'net is fun again."

      Don't ask the media to do our job for us.
    5. Re:Wonder How Microsoft Will React by IANAAC · · Score: 4, Insightful
      Kind of a shame that you have to lie about what browser you're installing for them, don't you think? In the long run you're doing a disservice to the Mozilla folks by passing it off as IE, not to mention downright deceit to the user.

      A much better approach would be to sit down with the users with both browsers, and surf to good and bad sites with both to demonstrate the differences.

    6. Re:Wonder How Microsoft Will React by SilentChris · · Score: 4, Insightful

      "What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla.""

      So the only recourse to introducing the new software is to *trick* people into using it? Doesn't sound like a very effective (or fair) argument.

    7. Re:Wonder How Microsoft Will React by SilentChris · · Score: 5, Insightful

      "and even gone to the point of deleting IE"

      May I ask why? Your users (family) are obviously telling you something: they don't like your solution. In addition, if you're actually deleting IE (not just removing the icon) you're probably breaking a lot of apps like Norton Antivirus that requires the MSHTML.dll (among others), making things worse.

      Always make new software an option, not "trick" the user or remove their old software. Explain the reasons for the change and the benefits of the new software. If they don't find any, obviously your argument doesn't hold as much weight as you thought it would.

    8. Re:Wonder How Microsoft Will React by pohl · · Score: 5, Insightful
      And just WHY should CNN, or any other news service, "push" one product over another? What possible interest could they have?

      I don't think they should push one product over another, but I would love to see them identify the product & vendor of the vulnerable software. Too often these stories are very generic, saying that the virus infects your computer when you visit a website -- whereas they should say that the virus infects Microsoft Windows(tm) when you use Microsoft Internet Explorer(tm) to visit a website.

      In addition, rather than saying that you should just keep your anti-virus software up-to-date, they should offer the useful tidbit that the virus could also be avoided by using alternatives the vulnerable products. They don't have to mention Opera or Mozilla. They don't have to mention Linux or MacOS X. Just let the users know that there are other things they could do beyond paying Symantec (et al) for a more recent anti-virus package.

      What's possible interest could they have in doing this? To inform. That's a novel concept for a news source, I know...but I'd still like to see it happen now & then.

      --

      The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...

    9. Re:Wonder How Microsoft Will React by rembem · · Score: 5, Insightful

      The problem is that most people think that that Blue E == The Web == The Internet. E.g. many don't see they're also using internet when they're e-mailing. When you say "I'm gonna remove IE and give you firefox.", they think "He's gonna remove my internet access for some fire security reason! Ahrg!" They somehow just can't grasp what the internet is. What they see is the web, therefore they assume that the web == the internet. To start 'the internet', they click the blue E, therefore they assume that the blue E == the internet.

      Somehow you've got to educate those people that The Internet != The Web != Blue E. Now you're just abusing their primitive assumptions. ;)

  2. FUD ? by mirko · · Score: 4, Insightful

    They don't mention that much names.
    I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
    I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.

    --
    Trolling using another account since 2005.
  3. This could finally be it by Anonymous Coward · · Score: 5, Insightful

    The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.

    But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.

  4. one thing I never get... by Mengoxon · · Score: 4, Insightful

    ...that enough people buy spam goods to pay for organized crime.

  5. They won't list the sites by mgkimsal2 · · Score: 5, Insightful

    This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

    "There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."

    The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

    "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.


    WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?

    1. Re:They won't list the sites by flowerp · · Score: 5, Insightful


      Nope, I think the real reason is protecting the businesses.

      Even if the sites' admins had aleady removed the infecting code, a "dangerous sites" list like that would likely prevent many potential visits to the site for weeks to come.

      --
      --- Eat my sig.
  6. Hello? Use Firefox! by Solar+Limb · · Score: 4, Insightful

    Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.

  7. But How Many People Will Switch? by Paulrothrock · · Score: 5, Insightful
    My dad had horrible spyware gunking up his PC at home. (Which he bought against my recommendation of a Macintosh.) I used my limited knowledge of spyware to clean it up, and told him to use Firefox. Next week, the default browser was back to IE. I changed it because I thought Windows had done something. The following week he told me "I don't want to use Firefox. Nothing works in it!"

    He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.

    Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.

    And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.

    --
    I'm in the hole of the broadband donut.
  8. I call bullshit by JUSTONEMORELATTE · · Score: 4, Insightful
    "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

    I don't buy it.
    If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
    The whole thing stinks of FUD tactics, and the last line in the article seals it for me:
    NetSec's Houlahan advocated drastic action.

    "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
    Puleeeeeze

    --
  9. Re:yes by Pros_n_Cons · · Score: 4, Insightful

    Why, who's that informing? This is slashdot you don't think anyone has heard of mozilla? Now that's funny!

    --

    -- "of course thats just my opinion, I could be wrong." --Dennis Miller
  10. Re:what sites are infected? by AKnightCowboy · · Score: 4, Insightful
    So does anyone know what sites are infected? I'm sure most of us would like to avoid them...

    Avoid them? Hell, I'd start by blocking them on my web proxy immediately until I get the all clear. We've got thousands of desktop users running IE. This could get nasty.

  11. Because it would make me ANGRY by Gzip+Christ · · Score: 4, Insightful
    WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one.
    They are probably not listing the sites in order to prevent (or minimize) a consumer backlash from consumers againts the sites and then a subsequent backlash from the companies against Microsoft. I tell you what - if I found out that any of my banks were irresponsible enough to be running infected servers like this I would immediately move my accounts elsewhere. I'd also be very eager to participate in any class action lawsuit against said institutions. If you don't know how to drive you stay off the road. If you don't know how to keep your servers secure, stay the hell off the Internet. My banks have a fiduciary responsibility to protect my money and if they are knowingly running an infected server, I would consider that a breach of their responsibility, and I would hope that the courts agree. This is like a brick and mortar bank keeping money and records on location when it knows that the locks on the doors don't work!
  12. Re:public health comparison? by The_REAL_DZA · · Score: 4, Insightful
    If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.
    Oh, you'd not only have people wanting to go there, you'd have people determined to go there (whether just to "test their mettle" or because they're crazy or just stupid or whatever), and the authorities would physically block access to the site by closing roads and posting armed security personnel around the perimeter. That's what's missing with the internet: a truly controlling authority with rapid response capabilities to answer "emergency" calls such as we might expect to come in to the local 911 switchboard, plus the ability (and willingness) to quarantine "sites" that pose a potential "public health risk" to the rest of the 'net. That's both bad (from a potential-victim standpoint) and good (from a personal liberties standpoint), but there's got to be some middle ground better than just running the internet "WFO" and depending on the good nature and virtue of the general public.
    --


    This space intentionally left (almost) blank.
  13. RTFA "To prevent further abuse" by Raindeer · · Score: 4, Insightful

    Ok, the article states: To prevent further abuse, the list is not published. The exploit is server side, not client side according to reports. Admins of the servers must have been warned and hopefully have cleaned the server already by now. So the public at large is not under threat from their high-profile site. Then not publishing the list is logical under the following reasoning.

    What if it is a Zero day exploit on IIS. There is no fix yet. Admins are struggling to clean the servers, but have no clue if what they did to prevent whatever is going on, actually works. Criminals all over the world will be searching for clues on what the exploit is and will want to actively exploit it as well. We don't know what is going on, so it might be possible to put a nice little rootkit undetectible on the server and later use it for interesting purposes. By not naming the sites they are putting an extra, albeit thin, layer of protection around the sites. The list of websites for criminals to target, will be much longer than it could have been if each and every site that was affected would be named on the internet. Most sites are (hopefully) clean right now, so the public is not at risk, but until we know what goes on, the server sure is.

  14. Re:Education by bludstone · · Score: 4, Insightful

    You got it. Feel free to distribute this email widely. Use it as much as you want. You dont even have to give me credit.

    --

    Okay, here we go.

    First, you need to download a decent web browser. The #1 cause of all that spyware is Internet Explorer allowing websites to automatically install things. (its from all that porn browsing you do.)

    Try firefox. Its only 5 megs to download, and its the most simplistic web browser available. You will get no popups. Its very popular, even among non-computer-obsessed folk. My mom uses it.

    http://ftp.mozilla.org/pub/mozilla.org/firefox/r el eases/0.9/FirefoxSetup-0.9.exe

    Now, I assume you are getting wacky popups and stuff, even when not webbrowsing.

    You need to install some spyware killers.

    I reccomend Spybot and adaware. These two are will rip through your pc, killing spyware dead. Blam. It may kill some software you like, but its for the better. There will be something out there that can replace anything you have to get rid of. Oh no, no more gator cursors. Whatever. Deal with it, or dont get online ever again.

    http://www.safer-networking.org/index.php?page=m ir rors - for spybot. VERY high traffic here, so be warned.
    http://www.lavasoftusa.com/software/adawa re/ for adaware.

    If those sites arnt working, you can always try "spybot download" and "adaware download" in google.

    Then, on top of THOSE. (I know, I know) You need to run a virus scan proggy. Try AVG, its free and better then McAffe
    http://www.grisoft.com/us/us_dwnl_free.php

    and last, but almost definitely not least, Windows Update.

    Open up IE (you have to use IE for this) and go to www.windowsupdate.com Have MS scan your computer and install all the security stuff. Then reboot. This may take a long, long time, but it is the most crucial step.

    comprehensive enough? :)

    --

    --

    no .sig
  15. tough love by zogger · · Score: 5, Insightful

    this is just generic, I don't know your familuy situation exactly, but for what it's worth,the advice is to stop fixing their computers and let them drag the boxes to the shop and pay for it to be cleaned. I'd say in a business situation the same thing if that apploies to anyone else. The concept is stolen from the way the experts advise to deal with a family member who is an addict to booze or drugs, called "tough love". Right now you are acting like an "enabler" by fixing it when it gets hosed, leaving them with the impression that "it's not that bad", when it really IS that bad, they can't see or admit to the elephant in the living room, so just stop being an enabler.

  16. Re:Little things by chromaphobic · · Score: 5, Insightful

    IE works.

    Well, the fact that you can become infected with a trojan simply by VISITING a web site, with no user interaction at all required, tells me than NO, IE does NOT work.

    But that's just a reflection of my personal criteria for whether or not something works.

  17. NetSec's Houlahan advocated drastic action: by jonasmit · · Score: 4, Insightful

    "I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
    Uh, use a different browser...remind me to never buy anything NetSec says (whoever they are)or sells henceforth.