|
Servers compromised all over the globe
ByRoel Schouwenberg | Nov 30 2004 13:49 GMT |
November has been a big month for compromised servers, proving again that everyone on the Internet needs to watch out.
On November 20th a very popular adserver got compromised, and started distributing malware.
Analysis showed that hackers had compromised one of the loadbalancers, used to distribute traffic and send viewers to other sites. About one in every thirty requests was directed to the other compromised server. Exploit.HTML.Iframebof had been placed on this server.
This exploit has been mentioned before on www.viruslist.com - it affects all versions of Internet Explorer except Windows XP with SP2. In this case, the exploit was used to install Trojan-Downloader.Win32.Small.aaq, which in its turn attempted to download Backdoor.Win32.Agent.ec.
This malicious program was repacked with a variety of packers in order to evade detection by antivirus software. The backdoor makes it possible for a remote malicious attacker to download and execute files on the victim machine.
Several other web servers have also been attacked, with compromised servers directing users to sites where adware, spyware, and/ or porn dialers will be installed onto victim machines.
Backdoors can be used to turn machines into spamming platforms and for phishing attacks. Adware is another profitable business. It looks as though there maybe a group at work which is out to make money by hacking servers.
In addition to the compromised adserver, the end of the month has brought another two server attacks, both interesting in their own way.
The SCO website has been defaced twice by a hacker or group of hackers, who placed new banners at the top of the site. The new banner read 'We own all your code. Pay us all your money'. The SCO site is frequently attacked due to the company's unpopularity among the open source community. The site has now been restored to its original state, but at the time of writing SCO did not seem to have issued a statement about the attack.
On a slightly different note, the Chaos Computer Club (CCC), a hacking group with a long history, has had its own server hacked. Spanish hackers gained access to personal registration information for the group's 2003 summer camp, and published some of it on the Internet. The CCC has acknowledged the breach in security, and thanked the Spanish group for bringing vulnerabilities to its attention.
But whether it's a major adserver which starts distributing malware, a commercial site, or an underground site, the server attacks of the last month highlight several critical issues:
* Users do not expect to be infected by reputable sites
* Many people only use an antivirus solution to monitor their email, rather than taking steps to ensure overall system safety
* The adserver incident again utilized Exploit.HTML.Iframebof - there is still no patch available for the vulnerability used by this exploit. Anyone running a system without SP2 is potentially vulnerable
So the past month shows cyber-crime is continuing to evolve: another attempt to establish a large scale botnet in order to make money. In addition to this, the damage caused in terms of lost income, and recovery expenses (both for the organisations concerned and for individual users with infected machines) comes to a significant sum.
In short, November confirmed that the Internet is becoming more and more dangerous for all users. Businesses, government organisations and end users have to make sure that they keep their OS, their security solutions and other applications completely up to date.
Users take note - there is no longer any such thing as a safe site!
Source:
Kaspersky Lab
|
