Internet users visiting some of the most popular sites on the Web may unwittingly be downloading malicious code that compromises their computers and sets up a relay network for a future onslaught of spam, a security services company warned Thursday.
NetSec, which provides managed security services for large businesses and government agencies, began detecting suspicious traffic on several of its customers' networks on Thursday morning, said chief technology officer Brent Houlahan.
Without the user's knowledge, the code connects their PC to one of two IP addresses in North America and Russia. From those systems they unknowingly download a piece of malicious code that appears to install a keystroke reader and probably some other malicious code on the computer, Houlahan said.
The code may be gathering the addresses of websites visited by affected users and the passwords used to access them. In addition, the IP address in Russia is a known source of spam, and the code may be creating a network of infected machines that could be used to relay spam across the Internet at some later date, he said.
He stressed that NetSec is still examining the code and has yet to determine the exact payload or the intent of the attack. The SANS Institute's Storm Center is also studying the outbreak and has found that the code surreptitiously downloads and installs a Trojan horse program named msits.exe, according to Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center.
Ullrich did not specify what functions are performed by the msits.exe Trojan.
NetSec declined to name the affected websites for liability reasons but said they are "big, big sites". It is probably the Web hosting facilities that cache content for those sites that are infected, rather than the "origin servers" at the Internet service providers themselves, Houlahan said.
"The tricks used in this particular attack method are nothing new. What's significant about this is the fact that it impacts major Web hosting facilities," said Dan Frasnelli, who manages NetSec's technical assistance center.
The attack affects only users running Windows and Explorer, he said. It was unclear Thursday how the attack originated, but it may exploit a known vulnerability in Microsoft's IIS Web Server software at the Web hosting facilities, Frasnelli said.
It was also unclear Thursday afternoon how many systems had been compromised and how widespread was the problem. NetSec said it had protected its own customers by writing custom intrusion detection signatures and blocking its customers' PCs from visiting the IP addresses involved in the attack. "There's a potential for widespread impact because currently the anti-virus vendors don't have a signature for it," Frasnelli said.