Berbew

Berbew is the latest in a series of attacks against the Mickey Mouse technology of Microsoft Corporation and an attack vector so clever it threatened to finally bring the Redmond house of cards tumbling down.

Using a 'zero-day exploit', the hackers first infected Microsoft IIS web servers at major sites such as eBay, PayPal, and Earthlink, changed the IIS server configuration to allow so-called 'footers' on HTML pages, and put a JavaScript snippet to download a keystroke logger in the footer. The download link was hosted in Moscow.

Even the keystroke logger was brilliant. Installing itself on download, it changed its name, extracted a DLL from itself, kicked the DLL into privileged mode, injected its code into other system threads, and then disappeared without a trace. The keystroke logger was especially on the alert for input at online banking sites.

The first reports reached the SANS Internet Storm Center on 20 June; by the weekend panic was growing; then someone got the Russian web site hosting the payload offline and the crisis was over.

IIS is notorious for its poor engineering and weak security: the US Federal Accounting Office condemned it and forbade its use several years ago. Spurious sites such as eBay continue to use it, despite the documented risks.

Perhaps Berbew will get them to wake up.