Internet users visiting some of the most popular sites on the Web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warns.
NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on Thursday morning, says Chief Technology Officer Brent Houlahan.
Without the user's knowledge, the code connects their PC to one of two IP addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan says.
The code may be gathering the addresses of Web sites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the Internet at some later date, he says.
He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack. The SANS Institute's Storm Center is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.
Ullrich did not specify what functions are performed by the msits.exe Trojan.
NetSec declines to name the affected Web sites for liability reasons but says they are "big, big sites." It is probably the Web hosting facilities that cache content for those sites that are infected, rather than the "origin servers" at the Internet service providers themselves, Houlahan says.
"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major Web hosting facilities," says Dan Frasnelli, who manages NetSec's technical assistance center.
The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he says. It was unclear Thursday how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) Web Server software at the Web hosting facilities, Frasnelli says.
It was also unclear Thursday afternoon how many systems had been compromised and how widespread the problem was. NetSec says it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack.
"There's a potential for widespread impact because currently the [antivirus] vendors don't have a signature for it," Frasnelli says.