Re: Major Internet Attack Under Way (IIS hit; Apache/SWS on VMS immune)
From: John Smith (a_at_nonymous.com)
Date: 06/25/04
- Next message: John Smith: "Re: OT: Sun / Sparc FUD"
- Previous message: Claude Marinier: "Re: DS20 from Tru64 to VMS"
- In reply to: William Webb: "Major Internet Attack Under Way (IIS hit; Apache/SWS on VMS immune)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 25 Jun 2004 16:48:46 -0400
William Webb wrote:
> <<
>
http://www.internetweek.com/allStories/showArticle.jhtml?articleID=22102119
>>>
> One of the suggestions I have made to HP management is that the
> current state of webserver vulnerability is a golden opportunity for
> HP to market an entry-level, turn-key webserver-on-VMS system.
>
> Again, the opportunity arises.
Only to be squandered once again by HP.
If they were serious about marketing OpenVMS in the face of all this
worm/trojan stuff, nobody from HP's OpenVMS marketing group would be going
home this weekend until 3-4 full page newspaper ads had been designed in
conjunction with the advertising agency they use and space booked for this
coming Monday's Wall Street Journal.
That's the way a real company responds to both an opportunity and a crisis.
HP, post here if you want my help. My rates triple over weekends but I'm
worth every penny.
See also
http://itmanagement.earthweb.com/secu/article.php/3373711
Major Web Attack May Steal Financial Data
June 25, 2004
By Sharon Gaudin
IT administrators are being warned to double check their servers, and Web
surfers are being cautioned after a widespread hacker attack has compromised
major corporate Web sites and infected thousands of users' computers.
''This is a complicated, sophisticated attack,'' says Ken Dunham, director
of malicious code at iDefense, Inc., a security intelligence company based
in Reston, Va. ''This appears to be designed to ultimately steal credit card
and identity theft information, which can then be sold... There could be
hundreds of thousands of victims at this point.''
According to security researchers, an organized crime group out of Russia
has launched the attack, compromising Microsoft's IIS Web Servers. When a
Web surfer goes to that infected Web site, javascript is appended to the
html page that is called up. That script then exploits two vulnerabilities
in Internet Explorer to install a backdoor into the user's computer.
Once this is done, the javascript instructs the user's browser to download
and install an executable from a Russian Web site. Different executables
have been noted, but they include keystroke loggers, proxy servers and other
backdoors providing full access to the compromised system.
Dunham says the attack was coordinated by the HangUp Team, a hacker group in
Russia -- the same group supposedly responsible for the Korgo worm family.
''They're making a lot of money of this,'' says Dunham. ''And they have a
serious backend market for peddling information.''
Johannes Ullrich of the Internet Storm Center, which monitors Internet
threats, reports that his organization has been contacted directly by about
20 companies, so he estimates that 100 or more Web sites have been infected
with the hostile script.
While less than Dunham's estimate, Ullrich suspects that thousands, possibly
10 thousand, user machines have been infected.
Ullrich says the threat is waning as most of the infected Web sites already
have been cleaned up.
But it's been an attack that had security researchers and some IT
administrators up all night beating back the flames and trying to figure out
exactly how the attack worked.
''This was very dangerous,'' says Steve Sundermeier, a vice president at
Medina, Ohio-based Central Command, Inc. ''It's alarming in that you have
large, legitimate corporations being used as a tool. As a user, especially
if you're entering credit card information, you expect secure Web sites.
Their financial security could be breached. And for the credibility of the
corporation, this is a huge problem.''
Researchers would not release the names of the companies and Web sites that
were compromised for fear of compounding their problems. Ullrich, however,
says the compromised sites included industry associations, banks, brokerages
and travel-related sites.
The question now is how were the corporate servers infected?
Researchers are still investigating the attack and have been slightly thrown
by reports from corporate administrators who said their machines had been
fully patched.
Dunham reports that there is some speculation, even coming from the
Microsoft camp, that the breakins and server infections are related to the
MS04-11 vulnerability.
''With fully patched boxes being infected, it appears there may be another
component of the MS04-11 vulnerability,'' says Dunham. ''There's a whole
bunch of stuff in there and some of it is related to the IIS servers... We
don't know how they are getting exploited. We're talking about highly secure
environments.''
Ullrich, however, says it's possible that the sites were compromised some
time ago before the servers were patched.
Microsoft recommends that users run a search for kk32.dll and surf.dat. If
either of the two files is present, the computer may be infected. Computers
can be cleaned by using up-to-date anti-virus software.
- Next message: John Smith: "Re: OT: Sun / Sparc FUD"
- Previous message: Claude Marinier: "Re: DS20 from Tru64 to VMS"
- In reply to: William Webb: "Major Internet Attack Under Way (IIS hit; Apache/SWS on VMS immune)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
