Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Most Web Users Safe As Major Net Attack Slows To Keyboard Logging: Page 3 of 5

Other reasons why hackers will continue to exploit the situation are the ongoing confusion about how the servers -- and the sites hosted on them -- became infected in the first place, and the ongoing vulnerability of Internet Explorer.

"That's the biggest mystery," said Mikko Hyppnen, F-Secure's director of anti-virus research. "Nobody seems to know how they were initially infected." Security firms are still trying to puzzle out whether the servers were exploited through a known vulnerability -- the most likely culprit is one patched by Microsoft in April-- or a so-called "zero-day" vulnerability. Exploits of zero-day vulnerabilities attack flaws for which no patch is available, and are considered worst-case by security experts.

Internet Explorer also remains vulnerable, said Dunham, contrary to Microsoft's claim. The client can be infected by such attacks through two vulnerabilities. One was patched in April but the second is a zero-day vulnerability called ADODB. (A patch against ADODB was issued in November 2003, but it doesn't protect against this newest exploit.)

"Microsoft has said if you're fully patched you're okay," said Dunham, "but we took live exploit code and ran it on a fully-patched client, and the code ran just fine."

In a document classified as "Critical," Microsoft tells users to visit Windows Update, the company's security update service, to protect themselves against the attack.