Web Sites Still Infected

More than 100 Web servers running Microsoft's Internet Information Services software are still infected with malicious code that was part of a widespread Internet attack, known as Scob, or Download.ject, that began two weeks ago, a security researcher says.

Dan Hubbard director of security and technology research at Websense Inc., a maker of employee Internet management and content protection software, says he spotted the 100-plus sites when the firm conducted its routine study of roughly 24 million Web sites for malicious code and possible Web-based attacks.

The Scob attack first surfaced the week of June 21 when security researchers began warning that thousands of hacked Web sites were infected with malicious software and that those servers placed Web surfers at risk to attack.

It's widely thought that Russian hackers were behind the attack, which took advantage of unpatched Web servers running Microsoft IIS software version 5.0 as well as several vulnerabilities within Internet Explorer. One of the Internet Explorer vulnerabilities the hackers exploited didn't have a patch, or a fix, at the time of the attack.

Web surfers who visited infected Web sites where themselves infected with hacker tools designed to steal personal information and send it to a computer Internet address located in Russia, which was quickly shut down by Internet service providers.

Web surfers didn't need to click on a link or an attachment to get infected in this attack; simply visiting a compromised Web site was enough.

While the attack targeted sites running IIS 5.0, Hubbard says the majority of the remaining infected systems are now running version 6.0.

It's not a new attack on version 6.0, says Hubbard, but rather Web site operators are upgrading to IIS version 6.0 on top of their infected IIS 5.0 systems.

While Hubbard won't name the infected Web sites, the reaction he got from the 25 or so sites he managed to contact was unsettling. "The majority were not even aware of the Scob attack," he says. "They had no idea any of this was going on. Only one person was up on what is happening in the security world," he says.

While this attack was thwarted by shutting down the hacker system that collected end-user information, more copycat attacks are likely, experts warn.

Microsoft on July 2 issued a "configuration change" designed to plug the unpatched Internet Explorer security hole targeted in the Scob attack. However, security researchers this week say they've found ways to bypass the workaround and successfully attack fully patched versions of Internet Explorer.

Microsoft said last Friday that the configuration change was a temporary solution and that the software company would be releasing more thorough Internet Explorer fixes in coming weeks.

Microsoft is scheduled to release this month's batch of security updates on July 13.

The software maker has published a page dedicated to keeping consumers and corporate customers up to date about the download.ject attacks. It can be found here.