Surfers at risk from corporate websites

Security researchers warned web surfers on Thursday to be on their guard after uncovering evidence that widespread web server compromises have turned corporate home pages into points of digital infection.

The researchers believe that online organised crime groups are breaking into web servers, surreptitiously inserting code that takes advantage of two flaws in Internet Explorer that Microsoft has not yet fixed. Those flaws allow the Web server to install a program that takes control of the user's computer.

The extent of the attacks is unknown, but the security community has seen numerous cases of personal computers infected when the user merely visits a Web site.

"It is not epidemic, but it is being seen," said Alfred Huger, senior director of engineering for security firm Symantec. "Do we think it is serious? Yeah. It's a concern and it's insidious."

The tactic is not new. Earlier this month, an independent security researcher found an aggressive advertising program, known as adware, which installed itself onto a victim's computer via the same two flaws in Internet Explorer. A large financial client called in Symantec in late April after an employee's system had been infected when he used Internet Explorer to browse an infected Web site. Last autumn, a similar may attack have been facilitated through a mass intrusion at Interland, said sources familiar with that case.

This time, however, the flaws affect every user of Internet Explorer, because Microsoft has not yet released a patch. Moreover, the infectious Web sites are not just those of minor companies inhabiting the backwaters of the Web, but major firms, including some banks, said Brent Houlahan, chief technology officer of NetSec.

"There's a pretty wide variety," he said. "There are auction sites, price comparison sites, and financial institutions."

The Internet Storm Centre, which monitors net threats, confirmed that the list of infected sites included some large Web properties.

"We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site.

The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available.

Researchers believe that attackers seed the websites with malicious code by breaking into unsecured servers or by using a previously unknown vulnerability in Microsoft's web software, Internet Information Server (IIS). When a victim browses the site, the code redirects them to one of two sites, most often to another server in Russia. That server uses the pair of Microsoft Internet Explorer vulnerabilities to upload and execute a remote access Trojan horse, RAT, to the victim's PC. The software records the victim's keystrokes and opens a back door in the system's security to allow the attacker to access the computer.

Meanwhile, the average Internet surfer is left with few options. Windows users could download an alternate browser, such as Mozilla or Opera, and Mac users are not in danger.

NetSec's Houlahan advocated drastic action.

"I told my wife, unless it is absolutely necessary and unless you are going to a site like our banking site, stay off the Internet right now," he said.