Musings – Abhay S. Kushwaha

A story on ZDNet reports that “online organized crime groups are breaking into Web servers” and installing code there that takes advantage of two unfixed flaws in Internet Explorer to install a program that “takes control of the user’s computer.”

The most significant paragraph of this story is:

Researchers believe that attackers seed the Web sites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft’s Web software, Internet Information Server (IIS). When a victim browses the site, the code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim’s PC. The software records the victim’s keystrokes and opens a back door in the system’s security to allow the attacker to access the computer.

This problem would not exist if these IIS servers were patched tight. Yet, despite numerous crippling infections because of other IIS exploits, stupid, ignorant and completely clueless idiots who manage IIS web-servers and don’t patch them are putting every user who visits their website in good faith at risk. They’re violating the implicit trust a user places in the website of a reputed and trusted organisation–that they will not be taken advantage of and not be served code that is malware.

An even more serious part of the report says that the compromised websites include those of financial institutions and ecommerce sites. These would be sites that actively solicit a user’s personal data and stores it on the server. If the server is compromised, so is the security of any data on that server. Will you be comfortable in having an online credit card transaction on such a site?

The possibilities of such a network to be used for DDoS (Distributed Denial of Service) attacks, SPAM-bot networks, et al are only the tip of the iceberg. This network represents computing power equivalent of supercomputers — in teraflops. It could potentially be used for anything… paranoid? Think not.