Cyrus_the_virus
Unmountable Boot Volume
Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines.
The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.
On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.
"Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. "While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week."
According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.
Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.
Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.
There are indications that this attack is coming in waves, with the bad guys swapping in new malicious downloader sites every few days. According to posts on an IIS user forum, Web site administrators first saw signs of this attack on April 17, the day before Microsoft issued its initial advisory on the IIS vulnerability.
If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that IIS.net post I mentioned earlier has some great tips to help administrators lock down their systems.
These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site. Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web. True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.
Source: Washington post
The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IIS) Web servers. In an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IIS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness.
On Thursday, Spanish anti-virus vendor Panda Security said that it had alerted Microsoft that a flaw IIS was the cause of all the break-ins. When I asked Microsoft whether they'd heard from Panda or if the hundreds of thousands of sites were hacked from a patched or unpatched flaw in IIS, a spokesman for the company didn't offer much more information.
"Microsoft is currently aware of and is receiving reports regarding public claims of attacks on IIS Web servers," said Bill Sisk, a security response manager at Microsoft, in a statement e-mailed to Security Fix. "While we have not be [sic] contacted directly regarding these reports, we will continue to monitor all reports either publically [sic] shared or responsibly disclosed and investigate once sufficient details are provided. We have not yet determined whether or not these reports are related to Microsoft Security Advisory (951306) released last week."
According to Finnish anti-virus maker F-Secure, the number of hacked Web pages serving up malicious software from this attack may be closer to half a million.
Dancho Danchev, an independent security analyst, has a decent write-up on signs that Web site owners can look for to tell whether their site has been hit by this attack. Danchev said all of the hacked sites appear to have Javascript coding adding to their page source that silently pulls down malware from a few domains in China, namely nihaorr1.com, and haoliuliang.net.
Needless to say, if you run a Google search for these sites you will find tens of thousands that contain the script that redirects any visitors to these malicious sites. I would strongly urge people to steer clear of those sites: I mention them here so that Web site owners can more easily search the HTML code in their pages for these domains.
There are indications that this attack is coming in waves, with the bad guys swapping in new malicious downloader sites every few days. According to posts on an IIS user forum, Web site administrators first saw signs of this attack on April 17, the day before Microsoft issued its initial advisory on the IIS vulnerability.
If you run your site with IIS, please take a moment to consider applying the workarounds in the Microsoft advisory for your version of IIS. Also, that IIS.net post I mentioned earlier has some great tips to help administrators lock down their systems.
These types of attacks that infiltrate legitimate, trusted Web sites are precisely the reason I so often recommend Firefox over Internet Explorer. There is a great add-on for Firefox called "noscript," which blocks these kinds of Javascript exploits from running automatically if a user happens to visit a hacked site. Currently, there is no such protection for IE users, and disallowing Javascript entirely isn't really an option on today's World Wide Web. True, you can fiddle with multiple settings in IE to add certain sites to your "Trusted Zone," but that option has never struck me as very practical or scalable.
Source: Washington post
Security expert: Don't blame Microsoft for mass site defacements
Progress was made Monday in mitigating thousands of SQL-based Web sites injected with malicious Javascript code. However, one security expert says we can expect more such attacks in the near future.
A traditional SQL injection attack allows malicious attackers to execute commands on an application's database by injecting executable code. "What's different about this latest attack is the size and the level of sophistication," said Jeremiah Grossman, CTO of White Hat Security.
*i.i.com.com/cnwk.1d/i/bto/20080428/nihaorrattack_270x279.jpgIn the past, attackers have gone after a small niche of the Internet--say travel sites or sports sites--but with this latest attack, attackers have a generic way to blast the Internet, and they've chosen to attack sites running MS-SQL.
On Monday, CNET found a few sites still infected with the latest SQL-injection attack.
On Friday, Microsoft denied that new vulnerabilities within Internet Information Services are to blame for a rash of Web site defacements. Microsoft insists it's the application developer's responsibility to follow the company's best practices. These include constraining and sanitizing input data, using type-safe SQL parameters for data access, and restricting account permissions in the database.
Grossman agreed it's not Microsoft's fault,and said the attacks could have easily targeted another vendor's software. If users surf to an SQL-injected site, their browser will attempt to download a variety of exploits, not all of which are Microsoft-based. One site from the Shadowserver Foundation lists exploits affecting Real and other vendors alongside various Microsoft Security bulletins.
Grossman said that just turning off Javascript won't necessarily protect end users from this latest round of attacks since the attackers can use traditional HTML as well.
"It's said that the attacks never get worse, they only get better," Grossman said. But in terms of the good guys closing the gap with the attackers, he remains optimistic. He said with more diligence and more care, we can protect Web sites from these attacks.
Source: CNet
if so then there is no point 
