Compromise of major Web hosting sites reported

The Internet security community reports that a compromise of servers hosting major Websites is infecting government, corporate and personal computers.

The origin and extent of the compromise is not yet known, but browsers accessing sites on the affected servers receive malicious code that directs the computer to a Russian address, where additional code is downloaded.

'The reason for the attack seems to point back to the spamming community,' the SANS Institute of Bethesda, Md., said in a bulletin. 'We don't see any evidence that this attack is related to the construction of a distributed denial of service network.'

Security organizations are not identifying affected Websites but say the list is long. At the time of writing, antivirus signature files for the infection were not available. Web surfers can protect themselves by disabling JavaScript and other forms of active scripting on their browsers.

'Apparently there is a widespread compromise of the hosting facilities,' that provide distributed content delivery services for Websites, said Daniel Frasnelli, manager of the Technical Assistance Center for NetSec Inc. of Herndon, Va.

According to SANS, the Russian IP address from which malicious code is downloaded to infected computers is 217.107.218.147.

The threat is a two-stage attack that exploits vulnerabilities in both server and client software. The problem stems from a modification in Microsoft IIS 5 server configurations to enable the document footer option for downloaded files. When a browser accesses these files, appended JavaScript exploiting vulnerabilities in Microsoft Internet Explorer redirects the browser to the Russian address, where additional pieces of code can be downloaded without the user's knowledge.

The new code can enable remote control of the infected computer, and also log keystrokes so that confidential information such as user IDs, passwords and PINs can be stolen, Frasnelli said.

'We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files,' SANS said.

TippingPoint Technologies Inc. of Austin, Texas, concluded that it is likely servers were compromised through known IIS vulnerabilities recently reported by Microsoft. The server-based code then exploits IE vulnerabilities.

The attack underscores the shrinking window between the discovery of vulnerabilities and their exploitation.

'The problem is exacerbated by the fact that there are no patches to protect users against one of the latest Internet Explorer vulnerabilities potentially used in the attack,' said David Endler, TippingPoint director of digital vaccine. 'The vulnerability first surfaced only a couple of weeks ago when it was discovered in the wild being used to upload adware to unsuspecting users.'

SANS reported that initial infections came as early as June 20. The problem apparently was first noticed early June 24, when security companies began notifying customers of the threat and blocking traffic from the IP address, Frasnelli said.

'The address was already on our watch list, associated with suspicious activity' such as spam, system scans and mail relay, Frasnelli said.

SANS director Allan Paller praised the response of the Homeland Security Department.

'One of my concerns since cyber security responsibility moved to DHS was how good would the response be,' Paller said.

He said the department's Cyber Security Division quickly communicated with the security community both in and outside of government, making samples of code available for analysis and cooperating with the search for the origin and fixes for the threat.

'It was a very inclusive operation,' Paller said. 'So they get an A on the discovery and response side.'

(Posted 10:53 a.m., updated 3:55 p.m.)

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.