‘Hundreds Of Websites Still Infected By Scob Trojan’

Just how many websites have been compromised by last week’s attack of the Scob trojan?

A report released today by Cyveillance, a U.S. based ‘provider of online risk monitoring and management solutions’, concludes that 641 sites were still infected with the JS.Scob.Trojan virus as of June 27, 2004. The company says it used its proprietary Internet monitoring technology to visit all known sites running Microsoft Internet Information Services 5.0 (IIS) — the vulnerable software — and identify which ones were compromised.

As Cyveillance CEO Panos Annastasiadas points out, “this newest form of phishing is far more devious than email-based attacks since a key-stroke logger is installed completely passively on the individual’s computer, without the victim falling for a scam.” Annastasiadas also says “loggers can capture far more personal information than is typically shared with a single phishing site.” That’s an interesting assertion, and I’m not sure it’s completely true. Some phishing sites sought — and presumably got — a wide array of personal information that would not normally be typed into the computer (and therefore not usually caught by keyboard loggers). Of course, the trojan in question may capture more than keystrokes, by, say, probing the hard disk, but I would say a social-engineered phishing attack that lures the victim into entering private data on a kosher-looking web site is going to give the attacker a much more complete picture for the purposes of ID fraud and emptying bank and credit card accounts than random passwords logged and sent back to scammer HQ.

Anyway, Cyveillance says it gathered its data from a previous audit it had conducted of some 50 million web sites, or domains. This audit had revealed some 6.2 million web sites known to run IIS 5.0, the Microsoft software with the hole. It then ran its proprietary technology over those web sites and found 641 confirmed cases. It doesn’t say what those domains were, and 641 doesn’t sound a lot. But given that this test was run several days after the initial attack, probably most of the people running those domains don’t know they’re infected, so that’s still 641 too many.