N
NunYa
http://www.snpx.com/cgi-bin/news5.cgi?target=www.newsnow.co.uk/cgi/NGoto/67515995?-2622
By Paul Roberts
IDG News Service, 08/19/04
A new version of the worm that spread from infected Microsoft Internet
Information Services Web servers in June has been identified and is
using instant messages and infected Web sites in Russia, Uruguay and
the U.S. to spread itself, according to one security company.
Researchers at PivX Solutions of Newport Beach, Calif., have
intercepted new malicious code that closely resembles widespread
attacks in June attributed to a malicious computer code named "Scob"
or "Download.ject." The new attacks use mass-distributed instant
messages to lure Internet users to Web sites that distribute malicious
code similar to Download.ject, said Thor Larholm, senior security
researcher at PivX.
First detected on June 24, the Scob attacks were attributed to a
Russian hacking group known as the "hangUP team," which used a
recently-patched buffer overflow vulnerability in Microsoft's
implementation of Secure Sockets Layer to compromise vulnerable
Windows 2000 systems running IIS Version 5 Web servers. Companies that
used IIS Version 5 and failed to apply a recent security software
patch, MS04-011, were vulnerable to compromise.
The June attacks also used two vulnerabilities in Windows and the
Internet Explorer Web browser to silently run the malicious code
distributed from the IIS servers on machines that visited the
compromised sites, redirecting the customers to Web sites controlled
by the hackers and downloading a Trojan horse program that captures
keystrokes and personal data.
The new attacks begin with instant messages sent to customers using
AOL's AOL Instant Messenger (AIM) or ICQ instant message program. The
messages invite recipients to click on a link to a Web page, with
pitches such as "Check out my new home page!" The messages could be
sent from strangers or from regular IM correspondents, or "buddies,"
Larholm said.
Once victims click on the link, they are taken to one of a handful of
attack Web pages hosted on servers in Uruguay, Russia and the U.S.,
from which a Trojan horse program is downloaded.
In addition to opening a "back door" on the victim's computer through
which more malicious programs can be downloaded, the new attacks
change the victim's Web browser home page or Outlook e-mail search
page to Web sites featuring adult content, Larholm said.
PivX is still analyzing the attacks to see if malicious code is placed
on victims' machines, but many of the files used by the new worm and
the way in which the attacks are being carried out point to the same
group that launched the Scob attacks in June, Larholm said.
"The code is different enough to be something of its own, but unique
enough to be related," he said. "And as with the Scob attacks, this is
all about money --in this case, driving ad revenue for specific
people."
The attack Web sites take advantage of vulnerabilities in Internet
Explorer and Outlook that Microsoft has patched, but that allow the
attackers to place and run malicious code on unpatched systems. Two
patches from 2003, MS03-025 and MS03-040 address the flaws used by the
new worm, Larholm said.
Anti-virus companies were informed of the new malicious code but did
not have virus signatures issued Thursday, Larholm said.
By Paul Roberts
IDG News Service, 08/19/04
A new version of the worm that spread from infected Microsoft Internet
Information Services Web servers in June has been identified and is
using instant messages and infected Web sites in Russia, Uruguay and
the U.S. to spread itself, according to one security company.
Researchers at PivX Solutions of Newport Beach, Calif., have
intercepted new malicious code that closely resembles widespread
attacks in June attributed to a malicious computer code named "Scob"
or "Download.ject." The new attacks use mass-distributed instant
messages to lure Internet users to Web sites that distribute malicious
code similar to Download.ject, said Thor Larholm, senior security
researcher at PivX.
First detected on June 24, the Scob attacks were attributed to a
Russian hacking group known as the "hangUP team," which used a
recently-patched buffer overflow vulnerability in Microsoft's
implementation of Secure Sockets Layer to compromise vulnerable
Windows 2000 systems running IIS Version 5 Web servers. Companies that
used IIS Version 5 and failed to apply a recent security software
patch, MS04-011, were vulnerable to compromise.
The June attacks also used two vulnerabilities in Windows and the
Internet Explorer Web browser to silently run the malicious code
distributed from the IIS servers on machines that visited the
compromised sites, redirecting the customers to Web sites controlled
by the hackers and downloading a Trojan horse program that captures
keystrokes and personal data.
The new attacks begin with instant messages sent to customers using
AOL's AOL Instant Messenger (AIM) or ICQ instant message program. The
messages invite recipients to click on a link to a Web page, with
pitches such as "Check out my new home page!" The messages could be
sent from strangers or from regular IM correspondents, or "buddies,"
Larholm said.
Once victims click on the link, they are taken to one of a handful of
attack Web pages hosted on servers in Uruguay, Russia and the U.S.,
from which a Trojan horse program is downloaded.
In addition to opening a "back door" on the victim's computer through
which more malicious programs can be downloaded, the new attacks
change the victim's Web browser home page or Outlook e-mail search
page to Web sites featuring adult content, Larholm said.
PivX is still analyzing the attacks to see if malicious code is placed
on victims' machines, but many of the files used by the new worm and
the way in which the attacks are being carried out point to the same
group that launched the Scob attacks in June, Larholm said.
"The code is different enough to be something of its own, but unique
enough to be related," he said. "And as with the Scob attacks, this is
all about money --in this case, driving ad revenue for specific
people."
The attack Web sites take advantage of vulnerabilities in Internet
Explorer and Outlook that Microsoft has patched, but that allow the
attackers to place and run malicious code on unpatched systems. Two
patches from 2003, MS03-025 and MS03-040 address the flaws used by the
new worm, Larholm said.
Anti-virus companies were informed of the new malicious code but did
not have virus signatures issued Thursday, Larholm said.
