A hacker compromised the corporate Web site of France Telecom's Internet service provider (ISP) subsidiary Wanadoo on Monday, causing the site to try to install a malicious software program on computers of visitors, the company said Wednesday.
The site, www.wanadoo.com, had been altered to use two common software exploits that redirect a visitor's Web browser from that address to Web sites that attempted to download a Trojan horse program onto their computers. The attacks are just the latest example of malicious hackers compromising prominent Web pages and using them to distribute malicious code to unsuspecting users.
"Someone succeeded in breaking into the site and altering a page," Wanadoo spokeswoman Caroline Ponsi said Wednesday. The attack happened on Monday night, she said, and occurred despite the fact that "All our software is up to date."
"We're in the process of checking everything before starting it up again," she said. "We have an idea how he got in."
Wanadoo has identified the network from which the attack originated, and has made a complaint to the ISP concerned, she said.
The Wanadoo site was taken down at about 5:30 p.m. Central European time Tuesday, redirecting visitors to a notice that a technical problem had occurred.
During the attack, Wanadoo.com distributed copies of two common exploits, one called "Exploit-ByteVerify" and the other called MHTML URL. At least one of the files, the MHTML URL, was also used in the June attacks that used compromised Internet Information Services (IIS) Web servers to distribute malicious code, said Craig Schmugar, virus research manager at McAfee Inc.'s Antivirus Emergency Response Team Labs.
If the attack successfully exploited the software holes, users unknowingly accessed a Web site that copied a Trojan horse program called loaderfox onto their computers.
Microsoft issued software patches for the holes compromised by both exploit programs, Schmugar said. McAfee's antivirus software spotted the files pushed out by wanadoo.com.
The Wanadoo site, which usually provides background information on the company's strategy and structure, was still not operating Thursday, although the redirection was changed to point toward the site for Wanadoo's French subscribers.
The Wanadoo hack is just the latest in a string of such incidents in recent months.
In June, a Russian hacking group known as the "hangUP team," used a recently patched buffer overflow vulnerability in Microsoft's implementation of SSL (Secure Sockets Layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers. The June attacks also used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run a malicious computer code named "Scob" or "Download.ject." from the IIS servers on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.
Last week, researchers at PivX Solutions intercepted malicious code that closely resembled Scob. The new attacks used mass-distributed instant messages to lure Internet users to Web sites that distribute malicious code similar to Download.ject, said Thor Larholm, senior security researcher at PivX.
Paul Roberts contributed to this report from Boston.