Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Corporate Servers Spreading IE Virus [Updated]

CowboyNeal posted more than 10 years ago | from the ill-and-infectious dept.

Security 1028

uncadonna writes "ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms." Update: 06/25 14:50 GMT by J : A reader points out Microsoft's What You Should Know page. Here's the short version for avoiding this Critical severity attack: you must install add-on software, and change multiple settings in multiple programs, thus causing "some Web sites to work improperly." By changing more settings, you can regain functionality for a particular site if "you trust that it is safe to use," which you have no way of knowing. Or try Firefox. Update: 06/25 19:30 GMT by J : Reuters reports the attack installs a keysniffer which can steal credit card numbers, passwords, and so on. The story offers safety tips, but fails to mention that, after patching the hole, many users will be infected without their knowledge. Shouldn't the "fix" include ceasing to type anything important into your computer until you purchase software which can detect and remove the Trojan? And will you be downloading that software with Mastercard or Visa?

cancel ×

1028 comments

Sorry! There are no comments related to the filter you selected.

f. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9526398)

f.

hehe (-1, Offtopic)

r3m0t (626466) | more than 10 years ago | (#9526400)

FPFPFP!

yes (5, Funny)

mwolff (594593) | more than 10 years ago | (#9526401)

http://www.mozilla.org

Re:yes (2, Informative)

LooseChanj (17865) | more than 10 years ago | (#9526415)

http://www.opera.com

Re:yes (-1, Troll)

Ath (643782) | more than 10 years ago | (#9526419)

That mod should be Informative, not Funny.

Re:yes (4, Insightful)

Pros_n_Cons (535669) | more than 10 years ago | (#9526475)

Why, who's that informing? This is slashdot you don't think anyone has heard of mozilla? Now that's funny!

Firefox (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9526406)

You heard the man.

Go get Firefox Firefox [mozilla.org] now!

Wonder How Microsoft Will React (5, Insightful)

RDosage (694318) | more than 10 years ago | (#9526410)

And I also wonder how many people will actually heed the call and switch their browser.

However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.

Re:Wonder How Microsoft Will React (4, Informative)

pyrosoft (44101) | more than 10 years ago | (#9526434)

You mean like CNN [cnn.com] ?

Re:Wonder How Microsoft Will React (4, Interesting)

linuxci (3530) | more than 10 years ago | (#9526511)

You mean like CNN?

A quick scan of that article and I couldn't see any mention of using an alternative browser, just the usual "update virus checker, etc"

We need these sites to push the idea of Mozilla to the masses

Re:Wonder How Microsoft Will React (5, Insightful)

NeoThermic (732100) | more than 10 years ago | (#9526455)

>> And I also wonder how many people will actually heed the call and switch their browser.

Very very few. I've got firefox installed on my family computer. Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

However, while Mircosoft are normally very good at patching these secuirty faults, this time they have totally failed. The blame doesn't rest with stubborn users who refuse to switch. The blame rests with Microsoft's inability to provide a patch in time.

Once they do supply a patch, it will then turn into the case of a supid user who doesn't patch. (and my server's apache logs show this, I'm still getting attacked by Code Red from infected servers who have not been patched).

Hopefully Microsoft will adapt to the pressure created by the users not being happy with the situation and release a patch.

Then again, looking at the age of IE and the number of requests to make a better version added to the time its taken them to respond, I'm stating a pool for those who want to bid on the release date of the patch. All dates start from 2005 onwards...

NeoThermic

Re:Wonder How Microsoft Will React (5, Interesting)

tdemark (512406) | more than 10 years ago | (#9526553)

Despite them getting infected with adware and spyware through IE, none of them want to use firefox. I've asked them many times, and even gone to the point of deleting IE, but their resillence to use anything else forced me to put it back on (amongst other reasons).

If you would be so kind, I am really curious what the reasons were.

What I have always done is download Firefox, change the icon to the blue E, and rename the shortcut "Internet Explorer". I then tell them, "It's the new version of Internet Explorer, called Mozilla."

I have had no people complain or ask to have the "old" version back. In fact, the only thing I have heard is praise ("It's so fast", "I don't get pop-ups anymore", etc).

I've done this for about 60 users (45 computers), so far.

- Tony

Re:Wonder How Microsoft Will React (-1, Troll)

rebeka thomas (673264) | more than 10 years ago | (#9526506)

Why would they need to? read...

"The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms."

You do have another option. Once again it's UNPATCHED USERS who are having problems. Well the simple solution is, unless you're into just microsoft bashing, is to PATCH YOUR SYSTEMS.

Repeat it a hundred times until it sinks in.

Re:Wonder How Microsoft Will React (1)

halowolf (692775) | more than 10 years ago | (#9526531)

After reading the article I got the distinct impression that there are no patches available yet to fix this problem. In the part where they said there are no patches to fix this problem.

"This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch."

Short of installing another browser that is...

Re:Wonder How Microsoft Will React (4, Informative)

NeoThermic (732100) | more than 10 years ago | (#9526538)

>> Well the simple solution is, unless you're into just microsoft bashing, is to PATCH YOUR SYSTEMS.

That would work, but the article states that there are no patches as of yet for these two secuirty holes...

From the article:

"The researchers believe that online organized crime groups are breaking into Web servers and surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed."

NeoThermic

Re:Wonder How Microsoft Will React (3, Interesting)

Anonymous Coward | more than 10 years ago | (#9526536)

And I also wonder how many people will actually heed the call and switch their browser.

Not many. They will rather believe it is a kind of valuable new feature, and they will perceive the inability of being infected as another flaw in mozilla. You probably think I'm joking, but, sadly, I'm not. I was recently forced to work with two windows-minded webmasters and this is exactly the way their brains work. MSIE cannot by definition have any flaws. If MSIE is not standards-compliant, well, too bad for the standards. I'm not even sure such folks can comprehend the concept of technical standards. And they won't listen to an opinion coming from someone who uses linux and doesn't approve piracy. You don't steal software => you are irrational, perhaps insane => you can't be trusted. And the <input type crash> bug was not a bug, it was Microsoft's joke. And GIMP is simply unusable.

So, I say, those windows users who are not totally fucked up have already switched to mozilla. Others will never switch.

I thought ZD were MS shills (3, Funny)

samjam (256347) | more than 10 years ago | (#9526554)

I have thought for years that Ziff-Davis were Microsoft Shills. [I don't mean all MS software is bad, I just mean Ziff-Davis seemed impervious to facts in their reviews]

If ZDNet is saying to stop using IE things must be bad.

I have tried to depart from IE 2 or 3 times but failed. As soon as I type this message I make the move for good. Hello Mozilla.

Sam

Re:Wonder How Microsoft Will React (0)

Anonymous Coward | more than 10 years ago | (#9526555)

However, I doubt Microsoft will do anything for at least two months. Hopefully by then a major news source will pick up the story and everyone will hear it.

Ahh but theyre doing something as I type this nessage: Spending money on Advertizing a Free Security Tools give-away on this very same /. page! Talk about slick, sic, and sick and effective marketing!

Re:Wonder How Microsoft Will React (3, Interesting)

Angostura (703910) | more than 10 years ago | (#9526559)

I know people are skeptical about a mass swap, but actually I think this is just the kind of issue that could cause small/medium sized) business (say a 100-200 users) to actually switch the default browser on their machines.

If the scenario is as reported, and IE is currently unpatchable, then the conversation is likely to go like this:

IT Manager: An problem has been identified in IE, it leaves the organization open to virus infection, we need to change the browser we use to something else.

CEO: Haven't you got more important things to do, where's my mail merge. I'm not having you spending a week changing every machine.

IT Manager: OK, the deal is, here is a threat that can't currently be solved, it presents the possibility that many of our machines could slow down, crash or be otherwise infected. To be honest, the details aren't clear, but it appears to be very easy for the infection to spread.

Are you formally telling me that you don't want me to take any action? and that you are happy with the situation.

CEO: How much does a new browser cost?

IT Manager - it's free.

CEO: quit hanging about in my office and get those new browsers installed.

MSN Search is infected (0, Interesting)

Anonymous Coward | more than 10 years ago | (#9526413)

The MSN search engine is infected.

You can download the trojan from here:
http://search.msn.com/msits.exe

Re:MSN Search is infected (2, Interesting)

DrMrLordX (559371) | more than 10 years ago | (#9526454)

Any word on whether or not hotmail is infected? That could be ugly.

Re:MSN Search is infected (2)

nick-less (307628) | more than 10 years ago | (#9526460)


The MSN search engine is infected.

You can download the trojan from here:
http://search.msn.com/msits.exe


all I get is a zero sized file..

Re:MSN Search is infected (1)

BoldAC (735721) | more than 10 years ago | (#9526533)

Why is this interesting? There is no file there.

Please check your links before modding... thanks!

AC

FUD ? (4, Insightful)

mirko (198274) | more than 10 years ago | (#9526422)

They don't mention that much names.
I however think that besides nda policy or whatever, they should give the names of the sites that should be avoided for security reason.
I'd personally advise the corporate DNS maintainer to redirect these to somwhere safer.

Re:FUD ? (3, Insightful)

Rick.C (626083) | more than 10 years ago | (#9526449)

they should give the names of the sites that should be avoided for security reason.

They could be sued for lost business if they released the names. The compromised sites could fix their problem, but the warnings would still be out there, hurting their business.

It sucks, but that's the way it is.

Re:FUD ? (1)

mirko (198274) | more than 10 years ago | (#9526477)

Then should act so that it is impossible to even surf to these sites while there's no proof they've safe again.
The non disclosure stuff is more dangerous and hurting for the majority than it is for the few company who inadequately protect themselves.
I do not like the way the Law works, in USA, it sounds like people's priority is somehow lower than companies'.

Re:FUD ? (1)

ckaminski (82854) | more than 10 years ago | (#9526510)

If it's true, and it's an editorial, I don't see how they can be sued. Or rather, how they can win. Yes, I know a lawsuit can be brought by anyone against anyone in this country...

Don't Forget Opera (4, Informative)

koniosis (657156) | more than 10 years ago | (#9526423)

Opera [opera.com] also offeres a very decent alternative to both IE and Mozilla/Firefox.

Re:Don't Forget Opera (1, Interesting)

Anonymous Coward | more than 10 years ago | (#9526505)

ZDNet:

"Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger."

Don't Forget Dillo (0)

Anonymous Coward | more than 10 years ago | (#9526543)

Dillo is light on features but good on old hardware for people who don't want to resort to lynx.

Unlike opera its Free Software and it has a stricter privacy policy then mozilla.

Its no good to MSW users though...

What's it going to take to make people switch? (4, Interesting)

mrdaveb (239909) | more than 10 years ago | (#9526424)

I think I'll just have to be content that great browsers like Firefox are available for me to use, because obviously the masses are never going to be interested.
With these unpatched IE flaws in the wild, IE users don't even have to do something silly to get infected. But I suppose you could argue they are already doing something silly!

Re:What's it going to take to make people switch? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#9526452)

The masses CAN BE interested.

I've been able to convince every one of my 18-year-old friends (who are mostly NOT technical people at all) to use Firefox. They all LOVE it. I think they switched partially because of all my complaining every time they started IE in front of me -- and partially because I sat down at their computer and downloaded the thing and installed it.

Re:What's it going to take to make people switch? (1)

mrdaveb (239909) | more than 10 years ago | (#9526478)

Yeah, that's true. It's pretty easy to get friends and family to switch. And I suppose a geek with a position in authority could get a whole company to switch, but it doesn't seem to make much of a dent.
My website logs still show approx 90% of hits are from IE. Although there is a nice scattering of Firefox users recently.

Re:Education (1)

bludstone (103539) | more than 10 years ago | (#9526517)

Im serious.

The reason most people still use IE is because they dont know that its what allows all of those problems to occur. They simply dont know its as easy as installing firefox. Nor have they even _heard_ of it. I tell everyone who complains that firefox will halt the march of the spyware, but wont evict the current infestation.

In fact, its gotten to the point where i keep a pre-written email around that spells out how to fix infected windows PCs.

It walks them through firefox, adaware, spybot, AVG and windows update.

It also says in the email. "The reason you are getting infected is because you are browsing porn sites while using IE." Makes a lot of them turn red. :)

Hmm, should I paste the email in here? :P

Re:Education (1)

SpinyManiac (542071) | more than 10 years ago | (#9526552)

Go on, paste it.

A copy of that would save me (and others) the effort of writing our own.

Education, my friend. (1)

winchester (265873) | more than 10 years ago | (#9526519)

It takes education to get people to switch. Show them Firefox is a good browser. I converted a friend of mine, by no other means than showing him the incredible amount of spyware on his machine, and explaining to him IE was the cause.

Then I installed Firefox for him, he was very impressed with the speed of Firefox, and he is a happy surfer now :-)

Life is good, and another person won over to using superior software.

Re:What's it going to take to make people switch? (1)

flowerp (512865) | more than 10 years ago | (#9526550)

Just use the same vulnerability to download some "malware" that disables IE and installs Firefox as the default browser. Most web users won't even notice the change if you include an IE-like skin in Firefox ;)

This could finally be it (5, Insightful)

Anonymous Coward | more than 10 years ago | (#9526428)

The disaster we all knew was going to happen. Not just some uber1337 script kiddie releasing a buggy worm that crashes the computers it attacks but organized crime attacking the net infrastructure.

But as bad as this may be this might also mean that finally more and more people and institutions will come to the conclusion, that a global infastrcuture depending on one product from one company simply isn't the way to go. Especially if this company has such a horrid track record when it comes to security.

one thing I never get... (4, Insightful)

Mengoxon (303399) | more than 10 years ago | (#9526431)

...that enough people buy spam goods to pay for organized crime.

Re:one thing I never get... (1)

ibjhb (173533) | more than 10 years ago | (#9526445)

If it wasn't profitable, there wouldn't be people to send out spam...

Re:one thing I never get... (1)

Mengoxon (303399) | more than 10 years ago | (#9526464)

I'm not getting it - I'm not doubting it

What really happens... (5, Informative)

ibjhb (173533) | more than 10 years ago | (#9526433)

Since the article is very vague, what happens is that once they compromise the IIS server, they modify each site on the server to write a document footer to every page. The document footer calls a DLL placed in the %windir%\system32 directory. The DLL writes a line of JavaScript to each page which redirects the user to a remote server to download the malicious code.

Re:What really happens... (1)

Riturno (671917) | more than 10 years ago | (#9526528)

This happened to the web host Interland last year. They were very tight lipped initially about it, and would not explain what was happening to their IIS based servers. It took a month to get some sites fixed, and that only happened if you complained.

They won't list the sites (5, Insightful)

mgkimsal2 (200677) | more than 10 years ago | (#9526435)

This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major companies, including some banks, said Brent Houlahan, chief technology officer of NetSec.

"There's a pretty wide variety," he said. "There are auction sites, price comparison sites and financial institutions."

The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties.

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.


WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "To prevent further abuse"???? Wouldn't giving the public NOTICE about these sites help prevent more infections by having people NOT go to those sites?

Re:They won't list the sites (1)

ibjhb (173533) | more than 10 years ago | (#9526457)

Though I don't necessarily agree, the thought is that people will go visit those sites to see what happens.

Re:They won't list the sites (2, Insightful)

BandwidthHog (257320) | more than 10 years ago | (#9526494)

Yeah, but if we're talking about sites like eBay (implied) or MSN (explicitly mentioned above), then it's not like 4.2 squillion people wouldn't have hit those sites today regardless.

As big a fan of MS as I am (the email address above really is valid), I truly hope this doesn't turn out to be as big and nasty as it looks so far.

Re:They won't list the sites (1)

Threni (635302) | more than 10 years ago | (#9526508)

>Though I don't necessarily agree, the thought is that people will go visit those
>sites to see what happens.

Yeah...so i can decide to avoid, say eBay (if it's the affected auction site), and idiots will go there to see what happens when they visit an infected site. Sounds like both groups of people are winners here - what's the problem?

public health comparison? (3, Insightful)

mgkimsal2 (200677) | more than 10 years ago | (#9526470)

Replying to my own post: :)

If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.

I know the analogy isn't all that great, but it's the best I can do right now. :)

Re:public health comparison? (4, Insightful)

The_REAL_DZA (731082) | more than 10 years ago | (#9526537)

If there was a public health risk - such as biohazardous material - even in a private storefront - the city or state would close off the area and warn people not to go there. Yes, you might have people wanting to go anyway, but they've been warned.
Oh, you'd not only have people wanting to go there, you'd have people determined to go there (whether just to "test their mettle" or because they're crazy or just stupid or whatever), and the authorities would physically block access to the site by closing roads and posting armed security personnel around the perimeter. That's what's missing with the internet: a truly controlling authority with rapid response capabilities to answer "emergency" calls such as we might expect to come in to the local 911 switchboard, plus the ability (and willingness) to quarantine "sites" that pose a potential "public health risk" to the rest of the 'net. That's both bad (from a potential-victim standpoint) and good (from a personal liberties standpoint), but there's got to be some middle ground better than just running the internet "WFO" and depending on the good nature and virtue of the general public.

Re:They won't list the sites (1)

Pros_n_Cons (535669) | more than 10 years ago | (#9526493)

"WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one. "

Because it makes the sites look bad, if they tell someone in confidence "hey, there is a new exploit going around they used on us, tell everyone to use Mozilla" What do you think they'll say next time? "what? us? no, everything is fine, keep using IE"

Re:They won't list the sites (0)

Anonymous Coward | more than 10 years ago | (#9526515)

Now I'm replying to my own post aswell, I should note that I don't think this is the perfect solution but until laws or the like are put in place to force companies into full disclosure the best we can expect from the majority of them is "someone, somewhere hacked something and here is how to prevent it from happening to you" Thats better than pretending there is no problem at all.

Re:They won't list the sites (1)

angrist (787928) | more than 10 years ago | (#9526497)

I can think of some Mac/*nix bashing friends of mine that i'd love to direct to these sites.

Re:They won't list the sites (0)

Anonymous Coward | more than 10 years ago | (#9526502)

Well, given the final message:

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.

You can tell you are dealing with PHBs. Don't expect a logical response.

Information overload? (0)

Anonymous Coward | more than 10 years ago | (#9526512)

The list might be just a touch long!

How many IIS servers are there out there?

The worst case assumption is that they are all compromised! If everybody starts sending "the list" back and forth, the bandwidth may be excessive!

Because it would make me ANGRY (4, Insightful)

Gzip Christ (683175) | more than 10 years ago | (#9526525)

WHY NOT? I've been trying to think of a reason NOT to list the sites infected, but I can't think of a good one.
They are probably not listing the sites in order to prevent (or minimize) a consumer backlash from consumers againts the sites and then a subsequent backlash from the companies against Microsoft. I tell you what - if I found out that any of my banks were irresponsible enough to be running infected servers like this I would immediately move my accounts elsewhere. I'd also be very eager to participate in any class action lawsuit against said institutions. If you don't know how to drive you stay off the road. If you don't know how to keep your servers secure, stay the hell off the Internet. My banks have a fiduciary responsibility to protect my money and if they are knowingly running an infected server, I would consider that a breach of their responsibility, and I would hope that the courts agree. This is like a brick and mortar bank keeping money and records on location when it knows that the locks on the doors don't work!

Re:They won't list the sites (0)

Anonymous Coward | more than 10 years ago | (#9526549)

Fear of a large scale backlash?
Fear of being sued by some idiotic company that they list?

It certainly sounds strange not to list the sites, so they could be avoided. Ibjhb's comments might be the reason, but it seems so silly. Let the people know, at least.

Re:They won't list the sites (5, Insightful)

flowerp (512865) | more than 10 years ago | (#9526561)


Nope, I think the real reason is protecting the businesses.

Even if the sites' admins had aleady removed the infecting code, a "dangerous sites" list like that would likely prevent many potential visits to the site for weeks to come.

Security Advisories (5, Informative)

Lars T. (470328) | more than 10 years ago | (#9526436)

US-CERT [uscert.gov] and Internet Storm Center [sans.org] . Less talk, more information.

Re:Security Advisories (3, Funny)

sploo22 (748838) | more than 10 years ago | (#9526520)

The site which is actually sending the infected file seems to have been slashdotted. Is this the next wave of antivirus technology?

Re:Security Advisories (0, Troll)

Jarnis (266190) | more than 10 years ago | (#9526522)

US-CERT is giving bullshit advice.

Basically they are saying 'this thing uses javascript, so users should disable javascript unless absolutely neccessary'.

Only problem being that I bet lots of the big name sites compromised require javascript.

Depending on what the payload does, this could turn nasty before monday.

0-day exploits in widely used closed source software being exploited for malicious purposes = fun.

Opera? Firefox? IE.....hell no (5, Interesting)

arikol (728226) | more than 10 years ago | (#9526437)

I know its not fashionable around these parts, being closed source, but Opera (www.opera.com) really is the bees knees. On my machine it renders faster, everything is snappier than mozilla/firefox and has more features than you can shake Darl Mcbride at. Its not free, true, but costs about the same as a pop-up blocker for Internal Exploder Plus, Operas built in mail client is wonderful Not that Im badmouthing firefox, I have that too, I just like Opera even better

Re:Opera? Firefox? IE.....hell no (0)

Anonymous Coward | more than 10 years ago | (#9526461)

My registered copy of Opera was free from the good people at ANDR [andr.net] .

Re:Opera? Firefox? IE.....hell no (1)

Apocalypse111 (597674) | more than 10 years ago | (#9526532)

...costs about the same as a pop-up blocker...

But I thought Google's Search Bar was free...

Hmmm.... (4, Interesting)

T-Keith (782767) | more than 10 years ago | (#9526438)

I've always wondered how my coworkers who "only" go to major sites like Yahoo and Ebay, pick up all sorts of spyware and adware.

This just in... (5, Funny)

howman (170527) | more than 10 years ago | (#9526450)

It has just been brought to our attention at the root of the problem this site [microsoft.com]

How terrible for them (-1, Troll)

Anonymous Coward | more than 10 years ago | (#9526459)

ZDNet says users have 'few options' other than alternative browsers or platforms."

Gee, wouldn't that just be awful for them to have to use an "alternative browser"? I mean, they might have to spend a few days fixing their own corporate websites to use proper standards or something! We clearly couldn't have that now could we?

Ask Microsoft (4, Informative)

m00nun1t (588082) | more than 10 years ago | (#9526462)

http://www.microsoft.com/security/incident/downloa d_ject.mspx

Linked to from their home page, has been for quite a few hours. Gives more information, including an inference that the server portion is self propogating, and that (contract to /.) that a patched PC is safe.

Re:Ask Microsoft (2, Interesting)

r1ch (166865) | more than 10 years ago | (#9526563)

Actually it implies that you need Windows XP SP2 _RC2_ (ie not actually released yet) to be safe - that's not really something that MS should expect people to install on production boxes.

Hello? Use Firefox! (4, Insightful)

Solar Limb (673519) | more than 10 years ago | (#9526463)

Christ man, how many times do people have to be told to use Firefox or another alternative, more secure browser? IE's browser development efforts have been long gone, and it shows in both features/functionality as well as security.

But How Many People Will Switch? (5, Insightful)

Paulrothrock (685079) | more than 10 years ago | (#9526466)

My dad had horrible spyware gunking up his PC at home. (Which he bought against my recommendation of a Macintosh.) I used my limited knowledge of spyware to clean it up, and told him to use Firefox. Next week, the default browser was back to IE. I changed it because I thought Windows had done something. The following week he told me "I don't want to use Firefox. Nothing works in it!"

He'd rather have me wipe spyware and adware from his machine than deal with it. It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page.

Of course, now IE doesn't work at all, so he runs AOL through his broadband connection to surf the Internet.

And yes, I have since stopped wiping adware/spyware from his machine. I told him if he wasn't going to buy a machine that didn't get the stuff, or use a browser that was secure, he can deal with it himself.

Re:But How Many People Will Switch? (1, Insightful)

Anonymous Coward | more than 10 years ago | (#9526499)

"He'd rather have me wipe spyware and adware from his machine than deal with it."

You're an enabler of his poor behavior.

Seriously, use mozilla, not firefox; at this point is the better browser. As far as things not working, get him to show you which sites don't work.

Re:But How Many People Will Switch? (0)

Anonymous Coward | more than 10 years ago | (#9526507)

a) Tell him he can fix it himself in the future, or my prefered method
b) Remove all shortcuts to IE. Configure IE to use a non existent proxy E.g. 10.0.0.1, for all protocols. Bypass the proxy for *.microsoft.com so Windows Update will work, but nothing else. Install Firefox and configure it.

Now if they do somehow manage to find and run Internet Explorer, they'll not be able to actually connect to any sites with it anyway. It's highly unlikely they'll ever figure out how to change the proxy config. If they complain; well that's just tough. They'll get used to it.

Re:But How Many People Will Switch? (1)

Oligonicella (659917) | more than 10 years ago | (#9526516)

"It's a symptom of having w3schools.com graduates making web sites in Frontpage that only work on front page."

I have yet to come across a page that NetScape couldn't render. I don't know what you and dad are talking about.

Re:But How Many People Will Switch? (1)

gmletzkojr (768460) | more than 10 years ago | (#9526558)

I frequently get calls from people with similar situations - they have to run IE, Kazaa, and every other file sharing program under the sun, and then wonder why the PC gets infected. And even though I charge for cleaning the machines, it just gets tiresome to constantly do the same process to the same machines.

But some of the problem is a lack of understanding that there really are other browsers available, and they really can be used under Windows. Like it or not, the average Joe doesn't know what Opera or Firefox is, even though most of us have grown to love them. Even if you explain to them the benefits, they often say "Well, I am used to this, so I will just stick with it - it seems to work ok."

How to kill it (5, Informative)

SpinyManiac (542071) | more than 10 years ago | (#9526467)

I think this is the one I caught at work.
No security restrictions in IE will stop it.

I caught it here:
http://www.yetanotherhomepage.com/j7xx/j7xx .html
There's a reason that this one isn't a link. ;)

I killed mine like this (Windows 2000):

Delete these:
C:\Winnt\System32\Swin32.dll
C:\Winnt\Sys tem32\Automove.exe
C:\Winnt\System32\Trans.exe

And this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windo ws\Curr entVersion\Run
[Adstartup] C:\Winnt\System32\Automove.exe

Seek and destroy Swin32.dll in the registry
Take out all of the CLSIDs it occurs in.

Re:How to kill it (0)

Anonymous Coward | more than 10 years ago | (#9526546)

"http://www.yetanotherhomepage.com/j7xx/j7xx.html"

What?! You answered SPAM!

Re:How to kill it (1)

SpinyManiac (542071) | more than 10 years ago | (#9526564)

The site's got nothing to do with spam. I should have mentioned that this is the second link in the article, about driveby popup installers which you can't stop with IE.

The article is flawed (0)

Anonymous Coward | more than 10 years ago | (#9526469)

The reason the article is vague is because it's mixing up several recent stories...

The redirection to Russian sites is the old "Paypal needs you to re-register, click here" scam, which goes via a site that secretly installs a key logger (IF you have an unpatched IE and IF you have no firewall).

The "IE problem that Microsoft hasn't fixed yet" is a separate, unrelated problem.

ZDNet is going way downhill in their attempt to get more readers...

Re:The article is flawed (0)

Anonymous Coward | more than 10 years ago | (#9526523)

IIS 5 Web Server Compromises
added June 24

US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

http://www.uscert.gov/current/current_activity.h tm l#iis5

Infected ferociously (5, Interesting)

phil-is-math (602835) | more than 10 years ago | (#9526473)

I was wondering where I got this from. I spent 4 hours removing Malware from my computer the other day. Since I don't tend to visit pr0n sites at work, I had know idea how I was so badly infected until now... Ad-aware, spybot, and Nortons did not find the evil software. My process list was filled with MANY unkillable process with random names. Every time I killed one, it would start again with a new name. I found the executables on my drive and deleted them, they would RE-CREATE themselves!! Also, it looked like one of the installed viruses(?) would download new Malware! I was wondering, is this a virus? is it spyware? It was hard to classify as far as I could tell and it SUCKED.

Stop using IE (0)

Anonymous Coward | more than 10 years ago | (#9526488)

Stop using IE.

Its simpler than it seems. Microsoft will not fix these fundamental problems unless they see users moving away en mass to another brower platform.

I call bullshit (4, Insightful)

JUSTONEMORELATTE (584508) | more than 10 years ago | (#9526474)

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

I don't buy it.
If your goal is to have the problem fixed, then name names, contact the affected companies so they can fix it (or have their contracted webmasters fix it) and move on.
The whole thing stinks of FUD tactics, and the last line in the article seals it for me:
NetSec's Houlahan advocated drastic action.


"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.
Puleeeeeze

--

And now I take it back (1)

JUSTONEMORELATTE (584508) | more than 10 years ago | (#9526521)

The linked article was crappy, but thanks to Lars T [slashdot.org] for pointing out the US-CERT [uscert.gov] and SANS [sans.org] disucssions on the topic.

US-CERT is once again spreading anti-MS fud (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#9526539)

http://www.uscert.gov/current/current_activity.htm l#iis5

Re: "Experts" (1)

Defiler (1693) | more than 10 years ago | (#9526544)

Agreed. He works for NetSec, and his best solution is "don't use the Interwebnet.com thingy today, honey"? How about switching your wife to *gasp* a different browser?
Also, it's neat that they mention banking sites as prime targets for this attack, but the one site it's safe for his wife to visit is a banking site. Consistency ahoy!

The great firewall of ... Western countries (2, Insightful)

Anonymous Coward | more than 10 years ago | (#9526482)

In the future, people will just "firewall" off offending countries until they start policing and clean up their act. Sort of like UN sanctions but online :)

Besides... AKs aren't allowed over here ;P

Re:The great firewall of ... Western countries (2, Informative)

RayTardo (779153) | more than 10 years ago | (#9526534)

Doesn't a high proportion of spam come from the USA?

Undisclosed sites? (3, Interesting)

SlashDread (38969) | more than 10 years ago | (#9526485)

WTF is that? So it can infect the rest of the world?

This reeks of criminal negligence IMHO, they know of a crime, and they wont tell how or who will do it to you..

"/Dread"

not detected by AV software? (5, Interesting)

Lxy (80823) | more than 10 years ago | (#9526491)

This "virus" is not detected by antivirus software, according to the article. Does anyone know why? I run eTrust on my IIS boxen. (yes, I have a few, no I didn't put them there, no, they shouldn't be there, but our dev team wants ASP) Etrust is a fine product, but supposedly this offending code isn't detected. That bothers me a little, but this leads to another question.

Why isn't spyware classified as viral code? I realize it doesn't spread in the same manner as a virus, but it a) installs itself uninvited b) causes the PC and its software to behave erratically and c) makes my job needlessly more difficult. It bothers me that virus scanners aren't picking up spyware.

Anyway, to bring this back on topic, this situation requires a server side fix. I'm sorry, I can't tell every customer to switch browsers. I can't even get my internal users to switch. Most can't, because of some oddly coded piece of software that only runs in IE. My point is, my boxen might be infected right now. Not caught by AV software, how am I supposed to determine whether this thing lives on my server?

what sites are infected? (1)

jaxle (193331) | more than 10 years ago | (#9526495)

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

So does anyone know what sites are infected? I'm sure most of us would like to avoid them...

Re:what sites are infected? (4, Insightful)

AKnightCowboy (608632) | more than 10 years ago | (#9526518)

So does anyone know what sites are infected? I'm sure most of us would like to avoid them...

Avoid them? Hell, I'd start by blocking them on my web proxy immediately until I get the all clear. We've got thousands of desktop users running IE. This could get nasty.

Liability of sites that recommend IE? (5, Interesting)

G4from128k (686170) | more than 10 years ago | (#9526496)

So many places say "this site best when viewed with IE." IANAL, but it seems irresponsible for a site to recommend IE, especially if site handles sensitive materials such as financial services or downloadable software. If IE includes known vulnerabilities, can sites be held liable for making that recommendation?

Any thoughts from the more legally minded amongst us?

Is it an IE only exploit? (5, Interesting)

SimplyCosmic (15296) | more than 10 years ago | (#9526509)

The original post mentions a "combination of two unpatched IE security holes", but both the US-CERT [uscert.gov] and Internet Storm Center [sans.org] only mention javascript and not a specific browser as being able to be compromised by the infected IIS servers.

My question is, how do we know this is an IE-only problem? I ask this because I have several friends whom I'm trying to convince try an alternative browser for security reasons but I don't want to be that guy we all know who goes off about "IE exploits" that turn out to be nothing of the sort.

Another nail in Javascript's coffin (4, Interesting)

onlyjoking (536550) | more than 10 years ago | (#9526514)

It won't be long before Javascript is considered a complete security risk and it's the web developers who are going to suffer. Despite the rantings of sysadmins who don't touch web development it is actually a very useful language to supplement HTML.

Javascript menus and first pass form validation, anyone?

Microsoft Published Workaround (2, Informative)

Anonymous Coward | more than 10 years ago | (#9526540)

Corporations [microsoft.com]

Home users [microsoft.com]

And make sure IIS dudes applies all former patches!

I'm so happy (2, Insightful)

Oestergaard (3005) | more than 10 years ago | (#9526547)

...that my mother has been running Gentoo on her desktop machine for three weeks now.

Just yet another "security" problem than I won't have to care about. Ahhhh.

Do your part (2, Interesting)

arvindn (542080) | more than 10 years ago | (#9526548)

Help more people switch to mozilla/firefox. Mozilla hacker Blake Ross has started a weekly brainstorming effort for firefox marketing ideas on his weblog [blakeross.com] . Go thither and chime in. I just did.

Iraq Update (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#9526562)

Coalition forensics have confirmed that the late U.S. hostage Nick Berg had chronic dandruff. How did ther determine this? His Head and Shoulders were found in an undisclosed alleyway.

I believe that this all goes back to... (2, Interesting)

Dagny Taggert (785517) | more than 10 years ago | (#9526567)

...the uneducated user. Let's face it: the internet has been sold as this great tool and all you need to get on it is a PC and a phone line, cable, or whatever. If you preach the need for basic education, you are some kind of geek (how often have you heard, "I don't want to know all that, I just want to get online!") and if you make even the slightest suggestion that some people just don't belong online due to their own lack of common sense, you are some kind of elitist (try telling people to use the BCC option of their e-mail client instead of CC'ing everyone in their address book and see what kind of reaction you get). As a previous poster said, it is, once again, unpatched systems that are causing the problem. And here's the chorus now, "I didn't know! No one told me! It's not my fault!" And we, of course, will pick up the pieces.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?