IIS Exploit Infecting Web Site Visitors With Malware

Malicious code is being spread through numerous web sites running Microsoft web servers, automatically infecting Internet users who visit these sites. Affected sites include "businesses that we presume would normally be keeping their sites fully patched," said the SANS Institute, which describes the exploit as a "widespread issue."

The method of infection appears similar to an exploit reported last year at Interland, in which a footer file inserts malicious code onto a web page, instructing the user's browser to download a trojan. In the new exploit, compromised Internet Information Servers (IIS) are seeding HTML files with footers containing Javascript code, which then uses a sophisticated new hacking technique to trick fully-patched versions of Internet Explorer into downloading a trojan - in this case, one known as "msits.exe" residing on a server in Russia.

The msits.exe malware has been used in phishing scams dating back to April. In that instance, it installed a keystroke logger which tried to capture login information for online banking accounts. One media report suggests that the compromised sites in this newest incident may include "auction sites, price comparison sites, and financial institutions."

Much about this new exploit is unknown or being debated, including the method through which IIS servers are infected, and the effectiveness of the protection supplied by end-user antivirus software. Some early analyses suggests the exploit is being used to build a spam network. However, the nature of the affected sites and the past use of a keylogger by this particular malware raises a troubling alternate possibility - that the exploit could be using e-commerce sites to unknowingly launch phishing scams upon their own users.

The U.S. Computer Emergency Readiness Team recommended that "end-users disable JavaScript unless it is absolutely necessary," the agency said in its advisory. "Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."