FRAMINGHAM (11/05/2003) - Some visitors to Web sites hosted by Interland Inc. are still feeling the effects of an Aug. 28 security breach that allowed their systems to be infected with malicious code.
Following up on readers' e-mails about the problem, Computerworld Wednesday spoke with Jeff Reich, director of security at Atlanta-based Interland. He acknowledged an ongoing problem, but downplayed its significance.
According to Reich, Interland was the "recipient" of an attack in August that wasn't directed specifically against the company or any individual, but was broadly targeted across the Internet.
Since then, Interland has been able to pin down the type of attack and the methodology the attacker is using by looking at what the attacker is doing. Through defensive methods that Interland has in place, the company has been able to reduce the scope of any new attack and shorten its response time when one occurs, Reich said.
"The attacker doesn't load any malicious code at any site hosted at Interland, but attempts to insert code that (tells a visitor's computer), 'When you finish doing what you're going to do, go to this other site and download what many antivirus programs pick up as a virus,'" he said. "The good news is that any visitor to any Web site with a currently patched Web browser and an antivirus program is likely to get a message that says, 'Hey someone is trying to download a virus,' but nothing is going to happen to them."
When the problem first occurred, it affected a broad swath of servers and a large number of sites where redirects took place. "We've been able to determine how that was happening and somewhat been able to predict when it will happen again," Reich said. "In the couple cases where it's happened since then, it's really almost a nonevent, because within a couple minutes of it starting, we're able to see it, address it and contain it. And within about 15 minutes' time of when we find it, we're able to remove it."
Although the problem recurred as recently as yesterday, there were no persistent redirects or persistent attempts to download any code, he said.
Previously, Reich said, the security breach resulted in malicious HTML code being injected into the footers that appear at the bottom of Web pages hosted on Interland's servers. The code prevented infected Web pages from loading properly, causing some sites to become unavailable. The code took advantage of a flaw, disclosed on Aug. 20, in several versions of Microsoft Corp.'s Internet Explorer browser
The company learned of the problem Aug. 28, when customers called to complain of service disruptions, according to Reich. What started as a small-scale problem quickly became a large-scale event, he said, although he declined to specify how many sites were affected. At the time Computerworld reported the initial attack, Reich said he believed that as of Sept. 4, the problem was no longer affecting customers.