Malicious server halted
- By Florence Olsen
- Jun 28, 2004
A Russian Web site that had been downloading code to steal financial information from users has apparently been shut down, security officials reported today. No one has figures on how many government or other users may have been affected by the widely publicized network attack.
"Since Friday, this thing was stopped in its tracks," said Oliver Friedrich, senior manager of Symantec Corp.'s Security Response Group. "That being said, the original vulnerability that this attack exploited within [Microsoft Corp.] Internet Explorer has not been fixed."
Warning of a network attack appeared Friday on the Homeland Security Department's U.S-Computer Emergency Readiness Team (US-CERT) Web site, which posts warnings about Internet threats. The notice said that some trusted Web sites, which it did not name, had been compromised and were attaching JavaScipt to the bottom of Web pages as users downloaded them.
The malicious code also included a backdoor or Trojan horse program that hackers could use in the future to launch further attacks.
Officials at NetSec Inc., a provider of managed security services, said a small portion of the company's government and commercial customers were affected by the network attack last week.
NetSec security analysts detected unusual behavior on some customers' networks last Wed., June 23, after analyzing data from customers' firewalls. They quickly configured customers' firewalls and routers to block the attack, said Dan Frasnelli, manager of NetSec's technical assistance center.
They also put into place preventative measures to thwart the attack from affecting other customers, he added.
Some security companies advised users to set security on high in their Internet Explorer browsers until Microsoft officials create a patch for a third vulnerability that is being exploited in the attack. Security experts also suggested that users switch to a browser other than Microsoft's, at least until Microsoft issues the patch for Internet Explorer.
"The door's open," Friedrich said. "There still no fix for this, and it's anyone's guess whether someone's going to come along in the next couple of days or next couple of weeks and write another exploit or additional malicious code to exploit this vulnerability."
Security experts said users can click on their computers' search button and scan for the filenames "Kk32.dll" and "Surf.dat" to see if their computers might have become infected. Antivirus companies announced they have tools that will remove the harmful files.
Noting the increasing harm posed by network attacks, Gail Hamilton, an executive vice president at Symantec, said in a speech earlier this month in Washington, D.C., that more potentially harmful network attacks have occurred in the past four months than in all of last year.
Security analysts will continue to monitor the situation, said Ken Ammon, president of Netsec. Analysts are not sure whether systems infected by the Trojan program could be used for more malicious activity such as launching a denial-of-service attack on networks.
The Trojan program could turn hostile, Ammon said, even though the initial purpose of the Trojan was to send out spam without the original sender being traceable.
Rutrell Yasin contributed to this article