• PC World
• »Security

A new Internet attack discovered this week was designed by an infamous group of Russian virus writers to steal credit card and other financial information from Web surfers and send it to Web sites where it can be retrieved by hackers, security experts warn.

Mikko Hyppönen, director of antivirus research at Helsinki antivirus company F-Secure, says his team had stayed up all night examining details of the new threat and has connected it with a known Russian virus writing group called Korgo.

According to Hyppönen, the group has hacked into Web servers of some major Internet service providers that host "huge" Web sites, such as an online auction site and banking sites, to append malicious code to their pages.

Collecting Data

This code, which security researchers are calling "Scob," connects the user's PC to Web addresses run by the hackers from which they can silently download and install a Trojan horse. This then uses a keystroke logger to collect Web surfers' passwords, logins, PayPal payment data, and other sensitive information, Hyppönen says, and then sends them to Web sites where the hackers can retrieve them.

"It just boggles the mind when you see the amount of information available on these sites--credit card numbers, banking information--and its available to anyone who knows the Web sites," Hyppönen says.

He adds, however, that the Web addresses where the information is being stored are not obvious and that potential hackers would have to reverse engineer the code to find them.

Law authorities, who were already investigating the Korgo group, have an open investigation into the case and are working on shutting down the sites, Hyppönen says.

Graham Cluley, senior technology consultant at security firm Sophos, says that his team has also connected the threat to the Korgo group. However, he says that in their research they have not been able to get through to the Web addresses that download the Trojan horse.

"So far it doesn't cause much harm, but the hackers could choose to redirect users to other addresses that work," he says.

Cluley also warns that the hackers could choose to change the Trojan horse, enabling it to launch a spam or denial-of-service attack. "The world is really their oyster," he says.

Security experts have said that the attack only affects users of certain versions of Microsoft's Internet Explorer browser.

Additionally, Cluley says that it appears that the threat only affects Web servers running Microsoft IIS 5 (Internet Information Services) Web Server software and not Microsoft IIS 6, which comes with Windows 2003 Server.

Updates Available

In the meantime, various antivirus firms are working to update their products to protect against the threat. As of early Friday morning, F-Secure had updated its offering to protect users, Hyppönen says, and he expects other companies to follow shortly.

Additionally, Cluley says that there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm.

"Our advice is that everyone download the Sasser patch," Cluley says. "And really, sites that haven't done so yet, that have slept through the whole Sasser hoopla, really cannot say that they take their network security seriously."

Because most sites should have patched against Sasser, and Sophos has been unable to connect to the addresses hosting the Trojan horse code, Cluley believes that the attack is not a huge threat so far. However, he warns that this could change.

The threat was initially detected late Thursday, with managed security services firm NetSec and the SANS Institute's Storm Center warning against the vulnerability.

So far all of the security researchers have remained tight-lipped about which major Web sites are being affected by the attack. It is also unclear how many users and sites have been affected so far.