Updated: Security analysts say that the malicious code that has been infecting some Windows machines was planted via an IIS vulnerability on the Web servers that host some high-traffic sites. The attack uses vul
Security analysts say that the malicious code
that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.
Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools.
The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan thats installed on compromised machines is a fairly simple one.
Microsoft has issued a security alert on the attack,
called Download.Ject. The company says that their MS04-011 update
, issued in April, addresses vulnerability to the attack on the server end. The bulletin also says that systems running Release Candidate 2 of Windows XP Service Pack 2 are not vulnerable to the client-side attack, and that other systems can be protected from downloads of malicious code by having all current critical patches installed and running Internet Explorer with its security settings at "High."
Most of the compromised Web servers are running IIS 5.0, an older version of Microsoft Corp.s Web server software. Once a visitors PC is compromised, the code contacts two remote machinesone in Russia and one in the United Statesand attempts to download more files to the machine.
For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
Some of the details of the attack are still unclear. For example, the client-side attack code is pulled from specific sites which appear no longer to be available. Initial reports that the attack used infected graphics files turned out to be false.
The US-CERT has issued a warning about this threat, and says that it is investigating the activity. Advisories from Symantec
and Computer Associates
both currently describe the attack as rare.
Check out eWEEK.coms Security Center
for the latest security news, reviews and analysis.
Be sure to add our eWEEK.com developer and Web services news feed to your RSS newsreader or My Yahoo page