Russian hackers investigate new vulnerabilities

25 Jun 2004
Virus News

Kaspersky Lab, a leading information security software developer, announces a new case of mass infection, caused by a combination of malware and unsanctioned access to computer systems. Web servers running Microsoft Internet Explorer (ISS) 5 are affected, and individual computers will become victims when the user views an infected site using Internet Explorer.

An unusual method is used to infect victim machines. Web servers are compromised using a JavaScript Trojan, Trojan.JS.Scob.a. It is not yet clear whether the servers have been compromised via a new vulnerability, or an already documented one.

When Internet Explorer is used to view a site on an infected server, the Trojan will take control of the victim machine, and redirect the browser to a site containing a PHP script. This is done using an unknown vulnerability in Internet Explorer. A version of Backdoor.Padodor (.w, .x, .y, or .z) will then be installed on the victim machine. This spy program enables full remote control over victim machines.

Most versions of Padobor contain the line 'Coded by HangUp Team' or 'Coded by HT', leaving no doubt as to the author's identity.

  

The use of Padodor in the current attack makes it likely that the attack was initiated by the HangUp Team, an internationally known group of hackers and virus writers. The group is responsible for a number of malicious programs, including the recent Padobot worm, aka Korgo. This worm attacks victim machines by exploiting vulnerability in Windows LSASS, and receives remote commands via IRC channels.

The HangUp Team was founded by three inhabitants of Archangel, Russia. In 2000, they were arrested and placed on probation for creating and distributing malicious code. However, the HangUp Team is still active, and has members from throughout the former Soviet Union, and possibly from other countries. The group is also notorious for its strong ties with the spamming industry, which uses networks of zombie machines created by the HangUp Team. Such networks are created using Trojans: once a proxy-server is configured, these networks can be used as spamming platforms.

We may be talking about a zero-day exploit here - a vulnerability which no-one knows about, and which there is no patch for. The hackers may have discovered the vulnerability themselves, or paid for the information, and compromised IIS servers around the world in order to distribute this Trojan spy program. We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,' commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Lab.

Updates for Kaspersky Lab anti-virus databases already contain definitions of Trojan.JS.Scob.a, and Backdoor.Padodor.x, .y and .z.