Security analysts say that the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.
Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools.
The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan thats installed on compromised machines is a fairly simple one.
Microsoft has issued a security alert on the attack, called Download.Ject. The company says that their MS04-011 update, issued in April, addresses vulnerability to the attack on the server end. The bulletin also says that systems running Release Candidate 2 of Windows XP Service Pack 2 are not vulnerable to the client-side attack, and that other systems can be protected from downloads of malicious code by having all current critical patches installed and running Internet Explorer with its security settings at “High.”
Most of the compromised Web servers are running IIS 5.0, an older version of Microsoft Corp.s Web server software. Once a visitors PC is compromised, the code contacts two remote machines—one in Russia and one in the United States—and attempts to download more files to the machine.
Some of the details of the attack are still unclear. For example, the client-side attack code is pulled from specific sites which appear no longer to be available. Initial reports that the attack used infected graphics files turned out to be false.