Archive for June 25th, 2004

4 years, 3 months ago

Okay people….how many times….

By Daniel Spisak Closed
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
Categories: Technology Musings

Do I have to tell you people to STOP USING INTERNET EXPLORER? Want to know why? Well read this people!

http://isc.sans.org/diary.php

“UPDATE (1930 UTC) - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:

- An IIS server’s configuration is somehow modified so that “enable document footer” is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities. (Thanks, Patrick and Ben!)

- When a visitor browses the site, all of the objects with their properties set to “enable document footer” are sent to the client browser with the JavaScript appended to the end of the file. If the visitor is running an updated version of AV software, the modified files (which include images as well as .html) are detected as being infected.

- The visitor’s browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user’s machine is updated with current AV software, this malware is detected and blocked. (Thanks, Michael!)

- The earliest reported infection was on June 20th (four days ago).

What we DON’T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody’s findings?)

Our concern is that there might be an IIS zero-day floating around. We won’t list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.”

What does this mean? It means that just by VISITING a website in IE you could UNKOWNINGLY HAVE SPAMWARE INSTALLED ON YOUR COMPUTER.

How do you stop this from happening?

1. STOP USING INTERNET EXPLORER! Go download Firefox 0.9 from http://www.mozilla.org/ or download Mozilla 1.7 or get a copy of Opera 7 from http://www.operasoftware.com/

2. Turn off Javascript in the meantime just to be safe.

Every time you run Internet Explorer you run the risk of being infected with numerous kinds of malware, spyware, or spamware now through many well documented yet still unpatched security holes in it. DO NOT USE IT!

About the Author

Daniel Spisak

Daniel Spisak was born from the fiery depths of fusion and now roams the pale blue dot known as Earth. I obtained my bachelors degree in Computer Science from UC Irvine at the end of 2007.

I am also involved in technology & security consulting firms as well as being a freelance technology writer. I also contribute to Jerry Pournelle's website and Chaos Manor Reviews. Additionally I am also a freelance photographer as well and you can find my photos either on my own personal gallery or up at my Flickr account or on Zivity.

This blog is one of the main locations where I do my writing, which is then automatically sent to my LiveJournal, VOX, and MySpace accounts. I can also be found on a variety of social networking and microblogging sites like Pownce, Twitter, Brightkite, Facebook, and LinkedIn.

If your viewing this site with Internet Explorer it may not look correct because IE is horrible about following W3C web standards properly or consistently. I suggest you try browsing the Internet with Firefox. It is much better and not as vulnerable to security flaws as IE can be.

My Current Qik Video

Daniel Spisak's Flickr

DSC_1355DSC_1407DSC_1463DSC_1459DSC_1456DSC_1455DSC_1454DSC_1451DSC_1450

 

June 2004
M T W T F S S
« May   Jul »
 123456
78910111213
14151617181920
21222324252627
282930  

Archives