Spyware spreading through major corporate sites

[Warchyld]

"ZDNet is reporting that corporate web servers are infecting visitors' PCs. The combination of two unpatched IE security holes and hacked corporate websites is apparently distributing malware via several high-credibility sites. ZDNet says users have 'few options' other than alternative browsers or platforms."

zdnet.com.com/2100-1105_2-5247187.html?tag=zdfd.newsfeed

Whee...I'm finally taking the time tomorrow to switch all of our company browsers over to Firefox. What fun.

[michael737n]

siwtch to a mac. use safari. problem solved

[Negative]

So your "solution" is to buy a $1,500 computer? You should be in sales, not in computers

An easier (and cheaper) solution would be to just switch browsers, as pointed out in the article. IE isn't the only browser for Windows. If everybody would switch browsers, of course ad/spyware would start targetting those browsers. But the same goes for your solution: if everybody switches to Mac, you'd see a giant uprise in ad/spyware for Mac. But at least people would safe $1,500

[thread_killer]

Good Lord Neg,
How I wish the wifes Mac only cost $1500

By the time we got the powerbook and the software she needed for it we're talking much closer to $6k.

[Gregctfp]

I just thought I would drop this link to a story I recently read that exposes the myth that Mac's are the most secure platform to use.

Worth a read if you are under the impression Mac OS X is secure.

http://www.techworld.com/security/ne...fm?NewsID=1798

[Elliente]

I find Mozilla to be the most stable browser on the win32 platofrm. It (hardly ever) crashes and I don't have to worry about spyware. Easily I spend 8-12 hours a week removing spyware from desktops and servers (in a 500 user, 50 server environment).

We're currently looking for an anti-spyware solution that we can implement. We need something with a main administration console, preferably web-based....

I've found pest patrol CE has kind of what we're looking for.

Anyone else have some ideas?

[Tiger Shark]

If we aren't talking apples and oranges then this is a java script that is uploaded to the compromised web sites and the properties of the site are altered to attach the javascript as a footer to all pages served.

The script attempts do download malicious code from a web site in Russia that allows spammers to your the compromised client as a relay.

It is yet unknown how the servers are being compromised..... Can we say "zero day"???

Mitigate by blocking all access to 217.107.218.147.

Snort rule for detecting the exploit is:-

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT local resource redirection attempt"; flow:to_client,established; content:"Location|3a|"; nocase; pcre:"/^Location\x3a\s*URL\s*\x3a/smi"; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:2;)

[tarpi]

"Zero Day"I wouldn't quite say that yet. Perhaps the IIS5.0 is not patched? It is often that companies do not patch their servers timely.
If it is zero-day, then those russians are pretty damn smart.

[Warchyld]

I've been seeing some conflicting reports. From what I gather, the IIS end of things is a patchable exploit, but there is no patch for the browser end of things if you happen to visit one of these sites with IE.

[Maverick811]

Originally posted here by Warchyld
I've been seeing some conflicting reports. From what I gather, the IIS end of things is a patchable exploit, but there is no patch for the browser end of things if you happen to visit one of these sites with IE.

Well, some of the reports are conflicting at this point but it seems that some are saying that the IIS servers were compromised by this vulnerability: http://www.microsoft.com/technet/sec.../MS04-011.mspx
Either by not applying the patch to begin with or by not rebooting the server once the patch was applied.

You are right, there seems to be no patch currently available for the IE vulnerability. Should definately consider use of another browser full time until IE is patched.