Mysterious, large-scale Internet attack against thousands of popular Web sites

Government and industry experts warned late Thursday of a mysterious, large-scale Internet attack against thousands of popular Web sites. The virus-like infection tries to implant hacker software onto the computers of all Web site visitors.

Industry experts and the Homeland Security Department were studying the infection to determine how it spreads across Web sites and find adequate defenses against it.

www.cnn.com...

It is recommended we all update our anti-virus software. Apparently, the virus infects your computer, and then uses your e-mail address to send out spam. This, web site based virus, is something I hadn't heard of before. Has this type of attack occured before?

This kind of attack is nothing new iam sorry to say these days.Iam not sure of what the payload of this VX is ment to do at the moment but possible it will be a ddos attack on a given date at one or more web sites like we have seen before.

Microsoft should be hanging there heads in shame with all the holes in WinXP.This VX is more then good chance using some unpatched exploit that the coder has seen floating about or found themselves.

I'm pretty sure this kind of virus has been used before, just not on this kind of scale. Everyday, I get 10+ messages from people asking my to open an attachment to the email. Does this have anything to do with it?

The Nimda Worm was a blended-threat that could infect a web server and, in turn, infect users who browsed pages on that server.

So far, I have not observed anything like the numbers indicated in that CNN article, although scanning for a particular IIS port, 445, is up about 10%. The Internet Storm Center is doing a good job of tracking this incident.

I've taken the precaution of blocking at our perimeter the address that ISC says is providing the malicious code.

I'm a little confused by the CNN article. On the one hand they're saying it's "mysterious" and "virus-like", so they obviously don't know what is causing the infection, yet they also warn that anti-virus software should be up to date.

If they don't know what the attack is, how can anti-virus software help? Not everyone uses heuristics and I've always found them to be ineffective.

Grey Pilgrim

hmm I might have this virus i scanned my computer a couple days ago and found 7 virus infected files and I don't get much "mysterious" e-mail so it must have been from the web it was a trojan and porn pop ups were showing up CONSTANTLY but i fixed it.

Originally posted by Grey_Pilgrim
...If they don't know what the attack is, how can anti-virus software help? Not everyone uses heuristics and I've always found them to be ineffective.

That ISC article showed that some AV signatures catch it already. Fortunately mine is one that does.

BitDefender 7.0/20040624 nothing
eTrustAV-Inoc 4641/20040623 nothing
F-Prot 3.14e/20040624 nothing
Kaspersky 3.0/20040625 nothing
McAfee 4369/20040624 nothing
NOD32v2 1.794/20040623 nothing
Norman 5.70.01/20040512 nothing
Panda 7.02.00/20040624 nothing
Sybari 7.50.1138/20040624 [Win32.Webber]
Symantec 8.0/20040624 [Backdoor.Berbew.F]
TrendMicro 1.00/20040624 nothing

Originally posted by Spectre
That ISC article showed that some AV signatures catch it already. Fortunately mine is one that does.

Ahhh. Thanks Spectre, I haven't had time to read the ISC article yet.

Cheers,
Grey Pilgrim

This new attack takes advantage of two things: 1) Holes in Microsoft IIS (Internet Information Server) that enables attackers to upload their virus/trojan payload for delivery. 2) Unplugged holes in Microsoft IE that allows software to be installed without any user intervention. Since ATS is hosted on a LINUX server, this website is not vulnerable to this current attack. So... for the near future, and until we let you know it's safe, avoid any other website other than ATS.

Originally posted by SkepticOverlord
Since ATS is hosted on a LINUX server, this website is not vulnerable to this current attack. So... for the near future, and until we let you know it's safe, avoid any other website other than ATS.

I seem to spend half my life on ATS as it is!

Cheers,
Grey Pilgrim