Saturday, June 26, 2004

SEC: 'Russian crime gang' targets PCs

Herald Sun: 'Russian crime gang' targets PCs [26jun04]

From Rob Lever in Washington

A MYSTERIOUS computer infection is spreading on the Internet, with visitors to some popular websites unwittingly downloading programs that could allow hackers to steal sensitive data.

Unlike viruses that spread by e-mail, the infection is propagated simply by visiting an infected site, security experts said today.

A so-called trojan or keystroke logger then allows hackers access to the PCs.

Various security experts have variously labelled the malicious program Scob, Download.Ject, Toofer or Webber.P.

"Users should be aware that any website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," said the US Government-funded Computer Emergency Readiness Team (CERT).

The trojan affected websites running Microsoft's IIS 5.0 program for Web servers, experts said.

"If users of Internet Explorer visit web pages infected by Scob, their computer may attempt to download a file from a Russian website," the security firm Sophos said.

Patrick Hinojosa, chief technology officer at Panda Software, said the number of infected computers was not known, but that experts hoped to have a better idea of the spread in coming days.

"It's a troublesome development," he said.

"This is one of the first times we're seeing large websites having been hacked to have this type of code that affects the user ... a large amount of Internet traffic hits these sites."

Panda Software said the danger in the new threat was that it "is difficult to recognise, as it does not display any messages or warnings that indicate it has reached the computer".

Because of an apparent financial motive and the link to Russian servers, Mr Hinojosa said: "We suspect there is Russian organised crime or something like it behind this."

The security firm LURHQ said the trojan program appeared aimed at stealing passwords or financial information.

"The trojan appears to be designed for the purposes of 'phishing,' that is, stealing financial and other account details from the infected user," LURHQ said.

"While most phishing is done via e-mail, this trojan directly captures password and logins if the infected user attempts to log in to eBay or (payment site) Paypal and also Earthlink, Juno and Yahoo webmail accounts."

Microsoft called the incident "critical" and urged users to download updates to protect their systems.

"A large number of websites, some of them quite popular, were compromised earlier this week to distribute malicious code," said the Internet Storm Center of the SANS Institute, a collaborative effort of universities and private researchers.

SANS did not name the sites.

"If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian website and install it," SANS said.

"These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system."

SANS noted that it was not the first time trojans had been attached to websites, but said: "This attack is special because it affects a large number of servers and is not easily detectable."

Mr Hinojosa and other experts said users could protect themselves by turning off the "javascript" function on Internet Explorer, blocking use of the programming language for graphics and other website functions.

"It may mean some websites may not function well, but I would rather have that than have my PC taken over," he said.


Post a Comment

<< Home

Get Firefox!