Web-based exploits are pretty common nowadays. It’s almost daily that we heard of sites being compromised one way or another. Today, it’s IIS servers. IIS is basically a web-server platform developed by Microsoft. It runs on Windows-based servers and generally serves ASP, or Active Server Pages, dynamic content similar to that of PHP or Ruby. There is some speculation that this is related to a recent security advisory from Microsoft, but this has not been confirmed.
Several popular blogs, including one on the Washington Post, have posted information describing the situation. There is a bit of confusion, however, as to what exactly the attack it. It appears that the IIS servers were infected by using the aforementioned vulnerability. Other web servers are being infected using SQL injection attacks. So it looks like there are several attack vectors being used to spread this particular beauty.
Many of the reports are using Google searches to estimate the number of infected systems. Estimates put that figure at about 500,000, but take that figure with a grain of salt. While there are a lot affected, using Google as the source of this particular metric is somewhat flawed. Google reports the total number of links found referring to a particular search string, so there may be duplicated information. It’s safe to say, however, that this is pretty widespread.
Regardless of the method of attack, and which server is infected, an unsuspecting visitor to the exploited site is exposed to a plethora of attacks. The malware uses a number of exploits in popular software packages, such as AIM, RealPlayer, and iTunes, to gain access to the visitor’s computer. Once the visitor is infected, the malware watched for username and password information, reporting that information back to a central server. Both ISC and ShadowServer have excellent write-ups on both the server exploit as well as the end-user exploit.
Be careful out there, kids…