Experts agree on method, not scope of IIS attacks

Accounts of impact vary

At gift basket supplier Young's Inc. in Dundee, Michigan, network administrators first became aware of the new threat on Thursday morning, when employees, including the chief executive officer of the company, received warnings about Trojan programs when they tried to load the company's Intranet Web page, said Ron Guyor, a systems administrator at Young's.

The company uses IIS Version 5.0 with SSL and had not applied the April patch, which Guyor believes was the opening hackers used to compromise his Web server. After shutting down IIS, Guyor used searches for recently updated files in IIS and information from online system administrator news groups to locate and remove the malicious files installed by hackers, he said.

While he is confident that desktop antivirus software from Symantec Corp. prevented the main Trojan horse file from being installed on his users' desktops, he's concerned about the unpatched hole in Internet Explorer and wary that other malicious code may have also been downloaded that Symantec's antivirus engine was not able to detect, he said.

"Internet Explorer is a big concern. If there's something Symantec doesn't know about yet, all you have to do is hit the wrong Web site and (hackers) can install whatever they want to," he said.

Microsoft hasn't seen evidence of widespread attacks, despite dire warnings from some security companies and a handful of tales like Guyor's, Toulouse said.

"Our investigation is showing us that this is not widespread. We haven't seen or heard a lot about this," he said.

That's the case at Network Associates Inc. (NAI), as well, according to Vincent Gullotto, vice president of research at NAI's McAfee Antivirus Emergency Response Team.

"We don't have significant reports of Web sites compromised or of people sending us examples of the new Trojans," he said. "I'd rate this a low risk if you're patched and a medium risk if you're not."

Still, other security companies reported widespread infections.

"Hundreds of thousands of computers have likely been infected in the past 24 hours," said Ken Dunham, director of malicious code in an e-mail statement from iDefense Inc., a security intelligence company in Reston, Virginia.

Managed security company NetSec Inc., in Herndon, Virginia, said it has seen infections across the majority of its customer accounts and knows of infections at large Web hosting farms, where a small number of IIS servers out of a large farm of servers have been compromised, said Dan Frasnelli, manager of NetSec's Technical Assistance Center.

The confusion about the extent of attacks shouldn't be surprising, especially given the novelty of the attack, said Chris Kraft, a senior security analyst at Sophos PLC.

"There tends to be confusion when something new and interesting happens. You get a broad disparity of what people say at the outset of the attack."

Sophos did not receive many reports from customers about the attacks. Still, Kraft thinks the strategy used by the virus writers makes the IIS attacks worth noting.

"The interesting thing is the delivery mechanism. These hackers usurped Web sites that people normally consider safe, then exploited vulnerabilities in the Web browser to download a set of instructions," he said.