The 'Scob' virus, also known as Download.Ject, came to light on Thursday. It was the subject of an alert issued by the US Computer Emergency Readiness Team (US-CERT), warning that "any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."
The virus works by using a flaw in Microsoft's Internet Information Server to both infect web servers and compromise web sites running off that server. When a web user visits an infected web site, the blended virus then uses flaws in the Internet Explorer software to automatically, and unobtrusively, re-direct the computer to another web site. This site, based in Russia, downloads a Trojan onto the computer.
A Trojan is a piece of malicious software that is installed onto a computer without the owner's knowledge. Once installed, the Trojan can be used for many purposes, such as obtaining personal information from the infected computer, or even the sending of spam.
On this occasion, according to alerts issued by CERT and security firms, the Trojan was able to record confidential information, such as credit card details and passwords, and e-mail the data back to the hackers.
However, the Russian web site suspected of involvement in the attack has been identified and e-mail is no longer being forwarded to that site, according to reports.
Many sites hit by the virus have been identified, and the malware removed, but as it is impossible for computer users to know when they have visited a compromised site, no one knows how many infected computers there are.
Stephen Toulouse, a security program manager at Microsoft, told the Washington Post that the company does not believe this to be a large attack. "Nonetheless, we view this as a very real threat, with serious significance in terms of the potential impact on our customers," he said.
The significance is intensified because one of the flaws exploited by the virus is still unpatched, and therefore vulnerable to attack.
Microsoft has advised users to take the usual precautions and to make sure that their browser security settings are set to the maximum, even if this will impair browser functionality a little.
CERT also recommended that users of Internet Explorer use other browsers, such as Netscape or Mozilla, which are not targeted by the virus.
See:
