Slashdot Mirror
Corporate Servers Spreading IE Virus [Updated]
uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via
several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?
http://www.mozilla.org
And I also wonder how many people will actually heed the call and switch their browser.
However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.
They don't mention that much names.
I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.
Trolling using another account since 2005.
Opera also offeres a very decent alternative to both IE and Mozilla/Firefox.
I spent ages trying to think of sig, but never did
I think I'll just have to be content that great browsers like Firefox are available for me to use, because obviously the masses are never going to be interested.
With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!
Homme petit d'homme petit, s'attend, n'avale
The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.
But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.
...that enough people buy spam goods to pay for organized crime.
Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.
This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.
"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."
The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.
"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.
WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?
creation science book
US-CERT and Internet Storm Center. Less talk, more information.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
I know its not fashionable around these parts, being closed source, but Opera (www.opera.com) really is the bees knees. On my machine it renders faster, everything is snappier than mozilla/firefox and has more features than you can shake Darl Mcbride at. Its not free, true, but costs about the same as a pop-up blocker for Internal Exploder Plus, Operas built in mail client is wonderful Not that Im badmouthing firefox, I have that too, I just like Opera even better
I've always wondered how my coworkers who "only" go to major sites like Yahoo and Ebay, pick up all sorts of spyware and adware.
It has just been brought to our attention at the root of the problem this site
flinging poop since 1969
http://www.microsoft.com/security/incident/downloa d_ject.mspx
/.) that a patched PC is safe.
Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to
Read reviews of shopping cart software
Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.
He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.
Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.
And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.
I'm in the hole of the broadband donut.
I think this is the one I caught at work.
x .html ;)
s tem32\Automove.exe
o ws\Curr entVersion\Run
No security restrictions in IE will stop it.
I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7x
There's a reason that this one isn't a link.
I killed mine like this (Windows 2000):
Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sy
C:\Winnt\System32\Trans.exe
And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wind
[Adstartup] C:\Winnt\System32\Automove.exe
Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.
It's never too late to have a happy childhood.
I was wondering where I got this from. I spent 4 hours removing Malware from my computer the other day. Since I don't tend to visit pr0n sites at work, I had know idea how I was so badly infected until now... Ad-aware, spybot, and Nortons did not find the evil software. My process list was filled with MANY unkillable process with random names. Every time I killed one, it would start again with a new name. I found the executables on my drive and deleted them, they would RE-CREATE themselves!! Also, it looked like one of the installed viruses(?) would download new Malware! I was wondering, is this a virus? is it spyware? It was hard to classify as far as I could tell and it SUCKED.
Word to me.
I don't buy it.
If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
The whole thing stinks of FUD tactics, and the last line in the article seals it for me: Puleeeeeze
--
This "virus" is not detected by antivirus software, according to the article. Does anyone know why? I run eTrust on my IIS boxen. (yes, I have a few, no I didn't put them there, no, they shouldn't be there, but our dev team wants ASP) Etrust is a fine product, but supposedly this offending code isn't detected. That bothers me a little, but this leads to another question.
Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.
Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?
There is no reasonable defense against an idiot with an agenda
:wq
So many places say "this site best when viewed with IE." IANAL, but it seems irresponsible for a site to recommend IE, especially if site handles sensitive materials such as financial services or downloadable software. If IE includes known vulnerabilities, can sites be held liable for making that recommendation?
Any thoughts from the more legally minded amongst us?
Two wrongs don't make a right, but three lefts do.
The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT and Internet Storm Center only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.
My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.
It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.
Javascript menus and first pass form validation, anyone?
Avoid them? Hell, I'd start by blocking them on my web proxy immediately until I get the all clear. We've got thousands of desktop users running IE. This could get nasty.
What You Should Know About Download.Ject
This space intentionally left (almost) blank.
I really wish I could switch to Mozilla (ok, Firefox). My co-workers are switching to Firefox. My users are switching to firefox. But I can't, because I have no idea how to implement my pet project as a mozilla-type plugin.
All it has to do is read in a dictionary file, then catch the 'new page loading' event, perform morphological analysis on the page, and edit the page as it loads to include ruby tags and/or something to display definitions in the toolbar. That's it! It's fairly computationally intensive and sometimes the right html to insert at a given point is a bit of a guessing game, but it's not rocket science. But HOW THE FORK DO I DO IT IN MOZILLA??
PS Yes I have rtfm and no I cannot implement the analysis algorithm usefully in javascript and yes I do have to insert ruby tags, as well as regular javascript that talks back to the plugin, into the page on the fly.
Considering the amount of research that seemed necessary to get it working in the minefield of IE, I expected that I would be quite capable of figuring it out in mozilla, but it just seems to be an order of magnitude harder.
I would be grateful for advice (eg a pointer to a similar project). Or failing that, remarks on the lines of 'if u cant use mozilla u r lame u lame wind0z3 lu20r hehe l8trz' would also be fine.
Whence? Hence. Whither? Thither.
http://www.f-secure.com/v-descs/padodorw.shtml
Seems like a nice keylogger. It also installs another trojan. Virus vendors seem to be getting on the ball. Also the site which distributes the payload is currently dying under the load. The virus is apparently bit too succesful for it's own good.
There's apparently a newly discovered exploit in IE that can compromise an IE user's machine THROUGH AN IMAGE ON A WEB PAGE.
So any server that allows posting of graphics (eBay, many discussion forums, etc) can be "infected". Even those running Linux. The only solution is to stop using IE and pray that Firefox, Mozilla, Opera, etc. exploits are few and far between. Article on graphics exploit here.
I can't operate without the google toolbar, which has no complete mozilla equivalent. There are many sites which people can't do without which use Internet Explorer. Many tools that work only with the browser. Apart from that, Firefox is the ideal browser at the moment.
___
internet, productivity blog
Ok, the article states: To prevent further abuse, the list is not published. The exploit is server side, not client side according to reports. Admins of the servers must have been warned and hopefully have cleaned the server already by now. So the public at large is not under threat from their high-profile site. Then not publishing the list is logical under the following reasoning.
What if it is a Zero day exploit on IIS. There is no fix yet. Admins are struggling to clean the servers, but have no clue if what they did to prevent whatever is going on, actually works. Criminals all over the world will be searching for clues on what the exploit is and will want to actively exploit it as well. We don't know what is going on, so it might be possible to put a nice little rootkit undetectible on the server and later use it for interesting purposes. By not naming the sites they are putting an extra, albeit thin, layer of protection around the sites. The list of websites for criminals to target, will be much longer than it could have been if each and every site that was affected would be named on the internet. Most sites are (hopefully) clean right now, so the public is not at risk, but until we know what goes on, the server sure is.
Use Adsense for Charity
The Internet Storm Centre has good information about what will be on your box if you're already infected. I think they're in \winnt\system32\inetsrv
Sorry about the duped links but more fixes, less FUD please. Yes, evil empire blah blah blah, but how about we tell people how to fix the problem instead?
You got it. Feel free to distribute this email widely. Use it as much as you want. You dont even have to give me credit.
r el eases/0.9/FirefoxSetup-0.9.exe
m ir rors - for spybot. VERY high traffic here, so be warned.a re/ for adaware.
p
:)
--
Okay, here we go.
First, you need to download a decent web browser. The #1 cause of all that spyware is Internet Explorer allowing websites to automatically install things. (its from all that porn browsing you do.)
Try firefox. Its only 5 megs to download, and its the most simplistic web browser available. You will get no popups. Its very popular, even among non-computer-obsessed folk. My mom uses it.
http://ftp.mozilla.org/pub/mozilla.org/firefox/
Now, I assume you are getting wacky popups and stuff, even when not webbrowsing.
You need to install some spyware killers.
I reccomend Spybot and adaware. These two are will rip through your pc, killing spyware dead. Blam. It may kill some software you like, but its for the better. There will be something out there that can replace anything you have to get rid of. Oh no, no more gator cursors. Whatever. Deal with it, or dont get online ever again.
http://www.safer-networking.org/index.php?page=
http://www.lavasoftusa.com/software/adaw
If those sites arnt working, you can always try "spybot download" and "adaware download" in google.
Then, on top of THOSE. (I know, I know) You need to run a virus scan proggy. Try AVG, its free and better then McAffe
http://www.grisoft.com/us/us_dwnl_free.ph
and last, but almost definitely not least, Windows Update.
Open up IE (you have to use IE for this) and go to www.windowsupdate.com Have MS scan your computer and install all the security stuff. Then reboot. This may take a long, long time, but it is the most crucial step.
comprehensive enough?
--
no
AVG free edition sygate personal firewall and Spybot seach and destroy (site down) will complete your collection nicely. Might want to have a look at Hijack this and this tutorial as well.
Yes, this is a lot of work for the price of keeping windows running. Some people don't have a choice... Me, as soon as my favourite IDE gets ported to Linux, I'll swap ;-)
Seriously though, if there are any other tools you guys use to try and keep windows secure, please share.
I can't help but chuckle every time these come out because all I hear in my head is the line,"All viruses are created after the exploit has been announced."
Keep those 0-day exploits coming, boys.
+++ATHZ 99:5:80
as I quiety tap the nails of the coffin.
-
Importing Favorites is easy.
;)
Either let it import them during installation (it will prompt you), or go to the File menu and click on Import...
I'll assume you're having just a bad day.
My problem is finding "Compose ONLY in plain text" in Thunderbird. If it's there, I can't find it.
It's never too late to have a happy childhood.
Honestly, I've not really made the switch myself. The main reason is actually kind of petty, hotkeys. I've become very used to things like shift-clicking a link to bring up extra pages or hitting ctrl-enter after typing in a word to add the http://www. and .com to it. I've been working with IE for long enough that it's second nature to use those keys. Yes, I'm sure that other browsers have ways to do these things, but one gets used to not having to think browsing the web, so learning new keys feels like a fair burden.
I wont comment on your other problems with switching. But you could at least try these things with FireFox. As it turns out both of those hotkeys do exactly the same thing as IE under FireFox. Just tried it with 0.9.
this is just generic, I don't know your familuy situation exactly, but for what it's worth,the advice is to stop fixing their computers and let them drag the boxes to the shop and pay for it to be cleaned. I'd say in a business situation the same thing if that apploies to anyone else. The concept is stolen from the way the experts advise to deal with a family member who is an addict to booze or drugs, called "tough love". Right now you are acting like an "enabler" by fixing it when it gets hosed, leaving them with the impression that "it's not that bad", when it really IS that bad, they can't see or admit to the elephant in the living room, so just stop being an enabler.
Surely it has got to be:
"FireBillGates"
I work at a bank. A lot of the applications used internally are web apps that require IE... Mozilla/Opera aren't an option because those apps require MSJVM (Microsoft Virtual Machine - no joke), Active X or other proprietary MS technology.
I'm not talking simple forms here, this for Foreign Exchange transactions.
Certificates, multiple passwords, encryption...all moot
Thanks fot the link, I've been meaning to switch from IE for a while now. Firefox looks neat, it's small and imported the bookmarks and history from IE. Easy. It also imported the saved passwords on my computer (I rarely use this option but still). Leading to a slightly offtopic and pretty stupid question: If Firefox can easily import my passwords, can't every adware and such also "import" them and send them anywhere?
IE works.
Well, the fact that you can become infected with a trojan simply by VISITING a web site, with no user interaction at all required, tells me than NO, IE does NOT work.
But that's just a reflection of my personal criteria for whether or not something works.
"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Uh, use a different browser...remind me to never buy anything NetSec says (whoever they are)or sells henceforth.
Basically: create an XPCOM component in C++ (if JavaScript or Python are too slow for you) which performs the computation. Mark your XPCOM interface as scriptable, use the typelib compiler to expose it to javascript then pass in the browser DOM so it can be edited by your component. Then write an extension to catch "page loaded" and pass the DOM to the loaded XPCOM component. I think that should work.
http://www.google.com/search?q=%22217.107.218.147% 22&hl=en&lr=&ie=UTF-8&start=20&sa=N&filter =0
Personally I'd rather know the list so I don't get infected, but then again I use netscape so....
Believe me, if I started murdering people, there would be none of you left.
Maybe it's not as you want is, but a similar plugin already exist: http://moji.mozdev.org/
Studying this source might be useful for your own project.
I can't operate without the google toolbar, which has no complete mozilla equivalent.
Um, what exactly is the mozilla google toolbar (http://googlebar.mozdev.org/) missing that you can't do without?
Remember, it doesn't need popup blocking (Mozilla does that itself).
Base: An up to date host file. This can probably block 95% of web nasties, regardless of source, yet is overlooked by most people.
Second: Proxomitron. The second browser-independent tool, it's a relatively little-known local proxy that filters the crap (including more ads than virtually every other solution) from a webpage before feeding it to your browser. Also handily removes most of the ActiveX and Javascript that causes these exploits. I simply cannot recommend it enough. In addition, it's fully configurable, and there are plenty of people out there who will write custom filters to get rid of any sort of ad that slips through.
Third: Firefox. I hesitate to suggest Opera because I don't feel it's as high a quality a product, and is closed-source, meaning it could be almost as susceptible to this stuff as Internet Explorer, should the bad guys aim their sights on it.
Fourth: In-browser plugins such as Adblock, which probably won't do much to stop this particular problem, but are nice to have around regardless.
Mozilla Backup is what you need. It can be used to easily transfer a profile from one machine to another. (Supports Firefox, Thunderbird, and Mozilla)
regedit.exe
Open HKEY_CLASSES_ROOT\http\shell\open
Remove the "ddeexec" subkey (subfolder).
Go into the "command" subkey (subfolder).
Change the (Default) string to this value:
"C:\path\to\mozilla.exe" -nosplash -url "%1"
Make sure to use the full path to mozilla or firefox. Also, keep the quotes.
To test, go to the run menu and type in an http:// URL. It should pop up a new mozilla window to the webpage.
Do the same thing for HKEY_CLASSES_ROOT\https and HKEY_CLASSES_ROOT\ftp to get the HTTPS and FTP protocol handlers as well.
Mail (mailto: links) is a little trickier. Use this guide for assistance.
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON