Unlike viruses that spread by email, this infection is propagated simply by visiting an infected site, which can install a so-called trojan or keystroke logger that allows hackers access to the PCs.
Various security experts labelled the malicious program Scob, Download.Ject, Toofer or Webber.P.
“Users should be aware that any website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code,” said the government funded Computer Emergency Readiness Team (CERT) in a warning posted late Thursday.
The trojan affects websites running Microsoft’s IIS 5.0 program for web servers, experts said.
“If users of Internet Explorer visit web pages infected by Scob, their computer may attempt to download a file from a Russian website,” the security firm Sophos said Friday.
Patrick Hinojosa, chief technology officer at Panda Software,
said the number of infected computers was not known, but that experts hoped to have a better idea of the spread in coming days.
“It’s a troublesome development,” he said by telephone. “This is one of the first times we’re seeing large websites having been hacked to have this type of code that affects the user … a large amount of internet traffic hits these sites.”
Panda Software added that the danger in this threat is that it
“is difficult to recognise, as it does not display any messages or warnings that indicate it has reached the computer”.
But because of the apparent financial motive and the link to
Russian servers, Hinojosa said: “We suspect there is Russian
organised crime or something like it behind this.”
The security firm LURHQ said the trojan program appears aimed at stealing passwords or financial information.
“The trojan appears to be designed for the purposes of ‘phishing’, that is, stealing financial and other account details from the infected user,” LURHQ said.
“While most phishing is done via email, this trojan directly captures password and logins if the infected user attempts to log in to eBay or [payment site] Paypal and also Earthlink, Juno and Yahoo webmail accounts.”
Microsoft called the incident “critical” and urged users to
download updates to protect their systems.