By Chris Mosby
Some hackers don’t break into computers for mere fun and recognition any more, they’re motivated by profit. Somewhere along the line, the war for control of your computer shifted from fame to fortune.
Nowadays, compromised computers — with a total numbering in the millions, organized into “botnets” or “zombie armies” — are sold or traded like commodities. They send out spam e-mails or perform distributed denial of service (DDoS) attacks against Web sites to extort money from the legitimate owners.
How are hackers able to accomplish such large-scale computer compromises? By using respected Web sites to gain entry.
Black hats have hijacked thousands of sites
This has been accomplished by targeting the servers of Web hosting companies. These firms often host scores of different sites on a single server machine. Once a hacker has compromised one of those servers — using any of a number of unpatched exploits, or taking advantage of ineffective patch management by the hosting company or the Web site owners — he or she can modify common Microsoft IIS header files. This injects pieces of infected code into the home pages of every Web site hosted on that server.
Normally, these headers have a legitimate purpose. This is the same technology that’s used to show banner ads atop all the pages of a Web site, for example. But in one recent case, detected on May 3, the headers were changed to include a hacker’s invisible, zero-width frames. These frames then use Java and Internet Explorer exploits to try to install a Trojan horse on computers that visit the respected site. From that point on, an infected computer belongs to the hacker.
The hacker code in this instance uses holes that can be closed by the Microsoft security bulletins MS02-055, MS03-011, MS04-038, and even the fairly recent MS05-001 (released Jan. 2005), as well as a Java Applet vulnerability. This code is also intelligent enough to detect what browser version is being used. This enables it to try particular exploits that would be the most likely to succeed.
There’s no ‘safe haven’ on the Web
Not even Web sites devoted to computer security are safe from this kind of attack, if their Web hosting company doesn’t secure their servers. In the zero-width-frame case mentioned above, Roger McClinton discovered that the home page of his information security blog had been modified. A frame had been added that was directing browsers to a site that exploited IE flaws to install spyware. This hijack was very similar to another hack that happened a couple of months ago.
Roger’s Web host was reluctant to admit that they were at fault in this case, even though a Web search at one point showed over 1,500 compromised Web sites, most of them hosted on his Web hosting service. Until his hosting company fixed the problem, he was forced to keep an eye on his blog for any unwanted modifications. Thankfully, things have by now been corrected at that host.
How you can protect yourself
This kind of mass Web site hijack will happen again. It’s just a matter of time and some new exploits. With this in mind, I’m sure you’re wondering what you can do to keep your computer from becoming another “zombie” that a hacker controls.