Trojan virus attacks popular Web sites

Internet researchers were scratching their heads over an attack that targeted some of the most popular sites on the Web with a trojan virus that exploits flaws in Microsoft's Internet Explorer Web browser.

Visiting the infected sites attaches a JavaScript code to the browser, and the code attempts to download one of several trojans from a Web site address in Russia that is a known source of spam.

A Trojan virus, like a Trojan horse, is a program that appears safe -- but smuggles in a worm or virus.

Researchers at the SANS Institute, an Internet research and education center in Maryland, said the infected sites, first reported Sunday, no longer posed a problem but cautioned that "other stealthy backdoors" could surface.

"The site [in Russia] that delivers the actual trojan program is no longer reachable," researcher Johannes Ulrich said in an e-mail interview on Friday.

"While there may still be a few copies of the JavaScript around which try to download this trojan, it will no longer be able to do so."

Ulrich added that the researchers were working with "some of the infected Web sites [to] try to piece together the exact means by which the sites got compromised."

Microsoft officials withheld comment, but the company issued a security alert Thursday saying that "Web servers running Windows 2000 Server and IIS that have not applied update 835732 ... are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code."

Researchers won't issue a list of compromised sites, but the SANS Institute Internet Storm Watch's Handlers' Diary said "the list is long and includes businesses that we presume would normally be keeping their sites fully patched."

"We do try to protect our sources and not to embarrass any system administrators in charge of these sites," Ulrich said, particularly until the researchers learn how the infection happened.

"In addition, if we know of a site that is infected, we focus on having the malicious code removed."

Alfred Huger, senior director of engineering for Internet security company Symantec, said the virus was "really insidious because once you've visited the sites, you won't know you've been broken into."

He also warned that the malicious code includes a keylogger program that records keystrokes and transmits sensitive information back to the hacker, including user names and passwords.

"These [hackers] aren't kids on a digital joyride," said Huger. "It's clear their motive is financial gain."

Symantec has evidence from its clients in the banking industry that bank employees' passwords were pilfered and used by hackers to access corporate networks, he said.

This is not the first time hackers have used Internet Explorer in this way. The Nimda worm in the fall of 2001 exploited an older flaw to propagate itself. Nimda was a mass-mailing worm that was easier to detect than the current Internet attack.

Other Web browsers, such as Netscape, Opera and Mozilla, are not affected.