return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

Systematic digital infection via compromised corporate web sites


As I write this, infection requires no more than a PC user merely visiting a co-opted website, but this time the corrupted sites are not the fringe of marginal sites or IRC chat rooms but mainstream and include such stalwarts as "auction sites, price comparison sites and financial institutions," including banks.

Poorly secured mainstream corporate websites are being penetrated and malware is being inserted that exploits two IE flaws for which Microsoft has yet to release a patch and for which no antivirus vendors have established detection and neutralization for the Trojan. There is presently no defense save for:

  • Setting IE browser security to high (which makes a number of sites nonfunctional)
  • Choosing a different browser than IE
  • Using a Mac
  • Staying off the web

Setting a frequented site as trusted is problematic as the site's IT folks may have been sloppy, as distinct from the veracity of its legitimate content, and thereby open to exploit. Using a properly setup firewall might at least block, or alert the owner to illegal outgoing traffic.

I have written often of the impact of the failure to prevent bad guys from operating inside our decision cycle, or in combat terms, operating inside the OODA Loop of your opponent as defined by John Boyd. In This exploit tool is fearsome. It should be on your box, I speak of a 'a loop trip of a matter of days and hours may be reduced to minutes.' This attack reduces it to zero. No defense, no active virus or passive worm, just pay a visit. Dick Clarke is again vindicated.

The Internet Storm Center tracks the growing list but maintains that it "won't list the sites that are reported to be infected in order to prevent further abuse." I think otherwise, feeling that the harsh glare of public identification will make the victims finally look to securing the web servers. "Researchers" offers a good lay description but if you want the geek details, go to the "Handler's Diary."

The perp or perps are assumed to be mainstream criminal gangs intent on inserting spamware or a part of larger activities of Russian organized crime groups, or perhaps one in the same.  The level of sophistication of the attack is high, it is customized malware and not a script kiddy copycat, the redirect sites are in Russia, and it would appear to be well funded:

"When a victim browses the site, the [inserted malicious] code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security to allow the attacker to access the computer."

I have often mused that sufficiently well-funded criminal gangs will form their own 'antivirus/anti-exploit' group (or buy or penetrate an existing one) for the purpose of surreptitiously identifying exploit opportunities and so stay perpetually ahead of the good guys. Microsoft surely understands the need to develop a more secure browser and a vastly simpler patch scheme, but now the ante has been raised.

Your OODA Loop is now zero and could stay that way, on and off, for some time. That will do wonders for Internet commerce.

Researchers warn of infectious Web sites
By Robert Lemos
June 25, 2004, 9:03 AM PT

Handler's Diary June 24th 2004
Updated June 25th 2004 01:27 UTC
* {update #2} .org dns problems, RFI - Russian IIS Hacks?
RFI - Russian IIS Hacks?

Gordon Housworth

Cybersecurity Public  InfoT Public  
In order to post a message, you must be logged in
message date / author

There are no comments available.

In order to post a message, you must be logged in