(New Scientist) Just clicking on web sites hosted by a hacked server was enough to infect computers with a mysterious new virus that was first detected on Thursday. The virus exploits two unpatched vulnerabilities in Microsoft’s Internet Explorer browser and was not detected by anti-virus software.
The spread of the virus was finally blocked on Friday at about 1130 EST, according to anti-virus software vendor Symantec and research organisation the SANS Internet Storm Center. This was achieved by blocking traffic to a Russian web site that was crucial to the function of the virus.
But security experts are warning that copy-cat virus attacks are likely, because the two vulnerabilities in Internet Explorer are still unpatched. “That makes it pretty insidious,” says Alfred Huger of Symantec, in Cupertino, California. “People will take advantage of these vulnerabilities in future.”
Although the tactic for spreading computer viruses via downloads from websites has been used before, this latest attack was particularly stealthy because it gave no indication that a virus was being downloaded – in the past infected web sites have been obviously defaced.
Worse, says Johannes Ullrich, chief technology officer at the Internet Storm Center, all Internet Explorer users were at risk because anti-virus software had not yet been programmed to detect the virus and because Microsoft has not released a patch for the vulnerabilities.
Analysts at the centre say that hackers seeded the web sites with malicious code by either breaking into unsecured servers or by using a vulnerability in Microsoft’s web software, Internet Information Server, for which there is patch.
When a user visits an infected website using an Internet Explorer browser, they are re-directed to a web site in Russia, which automatically downloaded a malicious file on to their computer and executed it, via the two unpatched vulnerabilities. None of this could have been detected by the user.
The names of the infected web sites are not being released, but Ullrich describes them as “a great mix” including online brokerages, e-commerce sites and “random industrial organisations”. But he says that neither e-Bay nor Google was infected.
Internet Service Providers are now blocking all traffic to the Russian web site, preventing any further spread of the virus. However, it is not known how many computers have already been compromised.
The virus turned computers into zombies, that can still be controlled remotely by the hackers to send spam or launch distributed denial of service attacks. In some cases, it installed key-logger software designed to capture sensitive information, such as passwords and credit card numbers, reports the Internet Storm Center.
Brent Houlihan of security services provider NetSec was so concerned about the virus’s spread on Friday morning that he told News.com: “I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the internet right now.”