Compromised Web Sites Infect Web Surfers

This morning I read that there are all sorts of javascript expoits being distributed by hacked legitimate websites. They haven't found what the source of the vulnerability is.This is almost certainly just an unknown IE vulnerability so it is probably safe to run javascript in Opera and Firefox if you need it but I disabled it on all, just in case!

source:

http://isc.incidents.org/

 

A minor correction

I believe it's the IIS webservers which are being exploited by some unknown exploit. Once infected those websites will attempt to infect IE users, but in this case using known exploits. One of these exploits is still unpatched.

 

some days ago an expert with Kaspersky commented that spammers will join hands with coders. at that time many people thought its just too exteme and now look what we've got. that expert joined Kaspersky after leaving RAV for greener pasture. hmm... he was right about it. i tried to connect to those websites but looks like they are all down

 

Users are being told to avoid using Internet Explorer until Microsoft patches a serious security hole in it.



http://news.bbc.co.uk/1/hi/technology/3840101.stm

 

Is there a way to tell if your PC has been compromised?


Edit: Found an answer to my own question from the link above. Using a app like PE you can...

"If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.

 

Suggestion. I went into my firewall (ZA PRO) and added a block to that IP address. Sounds like a good backup plan.

 

Here is a little more info

 

Apparently NOD32 hasn't updated for this (SCOB) yet.

Correction: Another name is apparently PADODOR, which was added in today's NOD32's signatures. Thanks Ronjor!

 

Right! But you may have not notice this: "...This morning I read that there are all sorts of javascript expoits being distributed by hacked legitimate websites...". So I understood that the website itself is not the "offender" but rather the "offended" that spreads the infection unintentionnally to the visitors. Also, some pages I read on that matter said that it explores an unknown (unpatched) exploit like you said. And others, reccomended this:

"Home users are being told to update their browser and avoid the
threat by turning off Javascript. However, this could mean that some
webpages do not display as expected. Microsoft has also given advice about how people can check if they are infected. So far the server/browser combination has not been given a single name. In its warning about the problem Microsoft calls it download.ject but others, such as F-Secure, are calling it Scob."

From: http://news.bbc.co.uk/1/hi/technology/3840101.stm

Furthermore:

",,,you visited an affected page, and your BROWSER is compromised: * You may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV
vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see
attempts to contact 217.107.218.147 on port 80.
(right Dazed_and_ Confused!!! )

We do not have any evidence of any other target IPs being involved at this point. However, as this ip is no longer reachable, attackers may plant scripts that point to other IPs in the future* AV software will detect the javascript as 'JS.Scob.Trojan'...."

from:http://isc.incidents.org/

Surfing carefully and being aware is the key!

 

Apart from an up to date AV and 'safe surfing' is the rule to block 217.107.218.147 on port 80 extra security for this flaw we have now? I have added 2 in Sygate Pro one for TCP and one for UDP for this address and port 80 but just need to know if this is the correct thing to do Thanks

 

Hello, Robyn! I have added a rule block everthing to this address (TCP & UDP), all ports. I think it a great backup plan - just in case....

 

Thanks D&C I will keep my safety net on both TCP and UDP in my firewall There is a lot of confusing information out about this one with one report saying it is Ok while others are still warning about the danger

 

As has been posted, if you have a decent AV, you should be safe. I do, but I always double-lock my doors too. As a safety net, it's probably sufficient to simply block TCP connections to port 80 of the aforementioned IP address. But I see no reason not to block all traffic to the site.

P.S. Really like your avatar!

 

Thanks again - I have edited my rule to cover all!

Pleased you like my little lonely fairy (I adore any of them) ever read 'Little, Big' enchanting much nicer than the armed guards we now need to be online!

 

Hi Ronjor,

Thanks for the Good News!

dog -

 

Wow. More great information dvk01. Your a wealth of knowledge today!

 

Yes, Thanks much Derek.

I'm Blocked and Protected!

I hope you make this info a sticky in the Hijack Info Forum.

Thanks

dog -

 

Thanks dvk01 I am going to add these rules right now and share them with others who have concerns about this, hopefully that is OK as your knowledge and advice cannot be disputed