Malicious server halted

A Russian Web site that had been downloading code to steal financial information from users has apparently been shut down, security officials reported today. No one has figures on how many government or other users may have been affected by the widely publicized network attack.

"Since Friday, this thing was stopped in its tracks," said Oliver Friedrich, senior manager of Symantec Corp.'s Security Response Group. "That being said, the original vulnerability that this attack exploited within [Microsoft Corp.] Internet Explorer has not been fixed."

Warning of a network attack appeared Friday on the Homeland Security Department's U.S-Computer Emergency Readiness Team (US-CERT) Web site, which posts warnings about Internet threats. The notice said that some trusted Web sites, which it did not name, had been compromised and were attaching JavaScipt to the bottom of Web pages as users downloaded them.

The JavaScript was redirecting users to the Russian Web site that attempted to download malicious code onto users' personal computers. Some security companies reported that the harmful code was logging keystrokes and relaying them back to hackers who then could steal passwords, account numbers and other financial information that they would resell.

The malicious code also included a backdoor or Trojan horse program that hackers could use in the future to launch further attacks.

Officials at NetSec Inc., a provider of managed security services, said a small portion of the company's government and commercial customers were affected by the network attack last week.

NetSec security analysts detected unusual behavior on some customers' networks last Wed., June 23, after analyzing data from customers' firewalls. They quickly configured customers' firewalls and routers to block the attack, said Dan Frasnelli, manager of NetSec's technical assistance center.

They also put into place preventative measures to thwart the attack from affecting other customers, he added.

The US-CERT notice was unusually vague, but it did identify the Internet Explorer browser and Internet Information Server 5 software, which is used to run Web sites, as targets of the new attack. The warning advised users to protect themselves by disabling JavaScript in their Microsoft Web browsers.

The nonprofit SANS Institute, which monitors network security, issued a bulletin Friday that said its researchers did not know how trusted Web sites had become infected with the JavaScript but that hackers had exploited two known security holes in Internet Information Server 5 and Internet Explorer, for which patches are available from Microsoft.

Some security companies advised users to set security on high in their Internet Explorer browsers until Microsoft officials create a patch for a third vulnerability that is being exploited in the attack. Security experts also suggested that users switch to a browser other than Microsoft's, at least until Microsoft issues the patch for Internet Explorer.

"The door's open," Friedrich said. "There still no fix for this, and it's anyone's guess whether someone's going to come along in the next couple of days or next couple of weeks and write another exploit or additional malicious code to exploit this vulnerability."

Security experts said users can click on their computers' search button and scan for the filenames "Kk32.dll" and "Surf.dat" to see if their computers might have become infected. Antivirus companies announced they have tools that will remove the harmful files.

Noting the increasing harm posed by network attacks, Gail Hamilton, an executive vice president at Symantec, said in a speech earlier this month in Washington, D.C., that more potentially harmful network attacks have occurred in the past four months than in all of last year.

Security analysts will continue to monitor the situation, said Ken Ammon, president of Netsec. Analysts are not sure whether systems infected by the Trojan program could be used for more malicious activity such as launching a denial-of-service attack on networks.

The Trojan program could turn hostile, Ammon said, even though the initial purpose of the Trojan was to send out spam without the original sender being traceable.

Rutrell Yasin contributed to this article