Compromise of major Web hosting sites reported
- By William Jackson
- Jun 25, 2004
The Internet security community reports that a compromise of servers hosting major Websites is infecting government, corporate and personal computers.
The origin and extent of the compromise is not yet known, but browsers accessing sites on the affected servers receive malicious code that directs the computer to a Russian address, where additional code is downloaded.
'The reason for the attack seems to point back to the spamming community,' the SANS Institute of Bethesda, Md., said in a bulletin. 'We don't see any evidence that this attack is related to the construction of a distributed denial of service network.'
'Apparently there is a widespread compromise of the hosting facilities,' that provide distributed content delivery services for Websites, said Daniel Frasnelli, manager of the Technical Assistance Center for NetSec Inc. of Herndon, Va.
According to SANS, the Russian IP address from which malicious code is downloaded to infected computers is 220.127.116.11.
The new code can enable remote control of the infected computer, and also log keystrokes so that confidential information such as user IDs, passwords and PINs can be stolen, Frasnelli said.
TippingPoint Technologies Inc. of Austin, Texas, concluded that it is likely servers were compromised through known IIS vulnerabilities recently reported by Microsoft. The server-based code then exploits IE vulnerabilities.
The attack underscores the shrinking window between the discovery of vulnerabilities and their exploitation.
'The problem is exacerbated by the fact that there are no patches to protect users against one of the latest Internet Explorer vulnerabilities potentially used in the attack,' said David Endler, TippingPoint director of digital vaccine. 'The vulnerability first surfaced only a couple of weeks ago when it was discovered in the wild being used to upload adware to unsuspecting users.'
SANS reported that initial infections came as early as June 20. The problem apparently was first noticed early June 24, when security companies began notifying customers of the threat and blocking traffic from the IP address, Frasnelli said.
'The address was already on our watch list, associated with suspicious activity' such as spam, system scans and mail relay, Frasnelli said.
SANS director Allan Paller praised the response of the Homeland Security Department.
'One of my concerns since cyber security responsibility moved to DHS was how good would the response be,' Paller said.
He said the department's Cyber Security Division quickly communicated with the security community both in and outside of government, making samples of code available for analysis and cooperating with the search for the origin and fixes for the threat.
'It was a very inclusive operation,' Paller said. 'So they get an A on the discovery and response side.'
(Posted 10:53 a.m., updated 3:55 p.m.)
William Jackson is a Maryland-based freelance writer.