Web graphics exploit effects IE

Update: Service Pack 2 will block this attack. More at end of this post.

eweek: “Security experts are tracking a new piece of malware that appears to be compromising large numbers of Windows PCs and may be laying the groundwork for the creation of a large spamming network or a major attack in the future.”

More on InfoWorld:
“Examining firewall logs and other data points on those networks, NetSec found that when users visit certain popular Web sites — including an online auction, a search engine and a comparison shopping site — they unwittingly download a piece of malicious JavaScript code attached to an image or graphics file on the site.

Without the user’s knowledge, the code connects their PC to one of two IP (Internet Protocol) addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan said.”

There are no patches available yet. So what’s a computer user supposed to do? One expert quoted in a CNet article says: “I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now.”

From the US-CERT website: “US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.”

And also on US-CERT some detail on what’s going on: “Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server.”

Still researching.

Update: Systems with Service Pack 2 installed are not at risk.

From the Microsoft security site:

“Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows.

Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk.

Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.”

To determine if you have been infected search all files on your drives for:

Kk32.dll
Surf.dat

There’s more info about Download.Ject on the Microsoft site.

I’m glad to hear that SP2 prevents the malicious code from spreading. I’ve been running the beta for quite awhile and overall I’ve encountered few problems. It’s up to you whether you want to install SP2 or not if you haven’t done so–since it is beta software. But two things–First, if you have a Tablet PC, it significantly improves the user experience and second, no matter what type of computer you have it greatly improves security on your computer by adding a commercial-strength firewall among numerous enhancements throughout the OS. The fact that SP2 beta blocks download_Ject indicates that Microsoft is on the right track.