:angry: Web virus aims to steal financial data

By Duncan Martell



SAN FRANCISCO (Reuters) - A potentially dangerous Internet attack on personal computers by a virus designed to steal financial data and passwords from Web users has rippled across the Internet, computer security experts say.



The attack, which surfaced earlier this week and is known as the "Scob" outbreak, exploits a vulnerability in servers using a version of Microsoft's IIS software, and has been called more dangerous than the recent "Sasser" and "Blaster" infections.



The infected servers in turn exploit another vulnerability in Microsoft's Internet Explorer browser to install a Trojan Horse virus on the PCs of Web surfers who visit the infected Web sites, said Alfred Huger, senior director of engineering at Internet security company Symantec.



"All of this takes place while it looks like you're viewing the same Web page," Huger said on Friday. "You don't even know that parts of your browser have been redirected to another Web site."



The U.S. Computer Emergency Readiness team warned on its Web site that "any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."



The Trojan Horse places a keystroke logger on users' PCs and is designed to capture credit card numbers and passwords and send them back to a server in Russia, said Michael Murray, director of vulnerability and exposure at computer security firm nCircle Network Security.



By late Friday, however, the threat to users' personal data seemed to have diminished, at least for the time being.



"The server appears to have been shut down in the last eight hours," Murray said. "We don't know if it was shut down by authorities or whether it was accidental."



NO PATCHES YET



The attack is more alarming than most because there are no patches available yet from Microsoft to fix the vulnerability in Internet Explorer that lets the hackers take control of computers, security researchers said.



On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected. The company also suggested that users set their browser security level to "high."



Stephen Toulouse, a security program manager at Microsoft, said there were three vulnerabilities involved in the attack, two of which Microsoft addressed in April with software patches. He said Microsoft was working on a patch to fix this latest vulnerability, which was published about two weeks ago.



Toulouse said that version 5 of Microsoft's Internet Information Services software which had not had an April patch installed was vulnerable to being turned into a virus transmitter.



"The attacker is exploiting a vulnerability and changing the Web pages on the server and turning them around to try and exploit vulnerabilities on Internet Explorer that customers are using to view the (infected) Web sites," Toulouse said.



Experts also urged computer users to update their anti-virus software protection software.



Most anti-virus software has been updated so that it can prevent the Trojan Horse from being installed, but because there is no patch, there's no way to prevent future attacks to install the virus, Huger said.



"The truly alarming part is there is no patch available for that vulnerability," Huger said. The Macintosh version of Internet Explorer is not affected, :hammer: