Attack on IIS Web Sites Infects Browsers With Malicious Code

KingFishKingFish
edited June 2004 in Science & Tech
Security analysts say that the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.
Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools. The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan that's installed on compromised machines is a fairly simple one.
It's quite scary that these vulnerabilities haven't been patched yet. I hope this gets fixed soon. -KF

Source: eWeek

Comments

  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited June 2004
    KingFish wrote:
    Security analysts say that the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.


    It's quite scary that these vulnerabilities haven't been patched yet. I hope this gets fixed soon. -KF

    Source: eWeek

    Today, same article has been updated. Two fixes for end clients.... XP2 RC2 is not vulnerable (but can be risky to install in other ways and I would not install it just to fix this vuln until it is out of beta), and updating regular boxes with all critcal patches without installing XP2 RC2 AND running IE at high security level for surfing will block this at client end. This thing does not get in through any browser besides IE right now, AFAIK.

    Here's how to get the WindowsUpdate site to work with an IE defaulted to high security for the Internet zone:

    Run IE

    Then do, in IE:

    Tools|Internet Options|Click on Security Tab|Click on Internet Zone|Move slider to High. Do not exit the security tab dialog.

    Click on Trusted Sites Icon|click on Sites button|uncheck the box next to Verify....



    Now enter these URLs and click add after each one (each one is on a separate line):

    http://v4.windowsupdate.microsoft.com
    http://windowsupdate.microsoft.com
    http://www.microsoft.com

    Now exit the security tab dialog with a click on apply and then OK until it closes.

    RESTART IE, exit it and reopen it.

    Now you can click WindowsUpdate or go to WindowsUpdate but other sites will get IE in high security mode. ADN WindowsUpdate will work for sure in XP Pro SP1a this way, the XP box is doing its check now set that way. This is not published normally because if you let a site that is not trustworthy into trusted sites zone by entering its URL in yourself it will get a low security resistance out of IE and that will let it do all sorts of things you do not want. BUT, these three specific entries will do no harm and let IE block other sites with HIGH SECURITY settings.

    However, since Microsoft DOES wish to give updates out without requiring an https user login, and since they have two redirects internal to Microsoft.com to block other things before you can get to the WindowsUpdate site, this is a three site force to known good sites. THIER servers that run IIS 5.0 are not infected, and THOSE servers got the MS04-011 (IIS 5.0 and Server O\S version archives) patch applied to them, MS04-011 server version is the server-side fix for this thing.

    Anyone who virus scans online only and is a member here can PM or email me and I will tell how in detail to virus scan with a trusted sites force, will give one example of online scanner access here that I also know is safe for you folks to use:

    You can add http://securityresponse.symantec.com/ to trusted sites zone virus scan from Symantec's Online Viral scanner while IE is set to high security for Internet Zone also if you want an online virus scanner usable that way.

    As and when Microsoft adds more IE patching and says it is safe to relax internet zone settings after patching, I will mention that here in this thread, because I do not like having folks have trusted sites zone populated unless there is a heavy need for same. Consider this a WhiteHat "heavyduty adaptation" to the things life can throw at Windows users that I know and have proven works.

    John Danielson
  • Straight_ManStraight_Man Geeky, in my own way Naples, FL Icrontian
    edited June 2004
    Since this thread started with the IIS 5.0 server attack, I will add this info with a full verbatim and commented quote of an email I got from Kaspersky Labs. Their main office is in Moscow, Russia. This email is confirmed legitimate, several ways. It IDs the authoring group of the attack and this is a blended attack, as explained in the quote below (my adds are in bold):

    Virus News. Saturday, June 26, 2004
    ******************************************************************

    1. Russian hackers investigate new vulnerabilities
    2. How to subscribe/unsubscribe
    3. Security Rules

    ****

    1. Russian hackers investigate new vulnerabilities

    Kaspersky Labs, a leading information security software developer,
    announces a new case of mass infection, caused by a combination of
    malware and unsanctioned access to computer systems. Web servers running
    Microsoft Internet Explorer (ISS) 5 are affected, and individual
    computers will become victims when the user views an infected site using
    Internet Explorer.

    An unusual method is used to infect victim machines. Web servers are
    compromised using a JavaScript Trojan, Trojan.JS.Scob.a. It is not yet
    clear whether the servers have been compromised via a new vulnerability,
    or an already documented one.

    This uses Microsoft JavaScript vulns, not Sun Java vulns, and with IE set to high security for surfing most JavaScript of Microsoft J++ or J# kinds thta is not signatured and certified will not run-- by default. Those on LANs with servers of IIS 5.0 kinds serving intranets might talk to their site security admins or helpdesks about this attack and verify whether or not they need to set the INTRANET zone in IE to high also.

    When Internet Explorer is used to view a site on an infected server, the
    Trojan will take control of the victim machine, and redirect the browser
    to a site containing a PHP script. This is done using an unknown
    vulnerability in Internet Explorer. A version of Backdoor.Padodor (w, x,
    y, or z) will then be installed on the victim machine. This spy program
    enables full remote control over victim machines.

    Padobor's code contains the line 'Coded by HangUpTeam', leaving no doubt
    as to the author's identity. The use of this program makes it likely
    that the current attack was initiated by the HangUp Team, an
    internationally known group of hackers and virus writers. The group is
    responsible for a number of malicious programs, including the recent
    Padobot worm, aka Korgo. This worm attacks victim machines by exploiting
    vulnerability in Windows LSASS, and receives remote commands via IRC
    channels.

    The HangUp Team was founded by three inhabitants of Archangel, Russia.
    In 2000, they were arrested and placed on probation for creating and
    distributing malicious code. However, the HangUp Team is still active,
    and has members from throughout the former Soviet Union, and possibly
    from other countries. The group is also notorious for its strong ties
    with the spamming industry, which uses networks of zombie machines
    created by the HangUp Team. Such networks are created using Trojans:
    once a proxy-server is configured, these networks can be used as
    spamming platforms.

    We may be talking about a zero-day exploit here - a vulnerability which
    no-one knows about, and which there is no patch for. The hackers may
    have discovered the vulnerability themselves, or paid for the
    information, and compromised IIS servers around the world in order to
    distribute this Trojan spy program. We have been predicting such an
    incident for several years: it confirms the destructive direction taken
    by the computer underground, and the trend in using a combination of
    methods to attack. Unfortunately, such blended threats and attacks are
    designed to evade the protection currently available,' commented Eugene
    Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

    Given Microsoft's statements to eWeek, I strongly feel that this is not totally a zero-day exploit (Kaspersky Labs explained this idea, basically a zero-day exploit is one that occurs before the publisher of the attacked software knows of exploit and has patched it, and Microsoft has things that are patched which it says are not vulnerable, so this is most probably not totally a zero-day exploit. I am being careful here, it is barely possible that the set of things used contains a zero-day exploit, but given Microsoft's statements I greatly doubt there is a zero-day exploit in this attack set.

    My earlier post about how to protect your box stands. eWeek got its info about what was NOT vulnerable from Microsoft. Microsoft has not detailed the exact vuln set used, but has confirmed that the statements made are true regarding how to protect. IF they prove wrong, best bet is to set IE as in previous post and use it for only access to Microsoft's Domain and use something else to borwse with for now.

    Updates for Kaspersky Labs anti-virus databases already contain
    definitions of Trojan.JS.Scob.a, variants.x, .y., z and
    Backdoor.Padodor.

    These are Kaspersky Lab's and possibly HangUp Team names for these malware things, one (the first) is a Javascript Trojan, the Backdoor is a partially bot delivered Trojan.



    **

    2. How to subscribe/unsubscribe

    If you would like to subscribe to other Kaspersky Lab news blocks or
    to unsubscribe from this news block, you can do so by visiting
    http://www.kaspersky.com/subscribenow.html

    If you experience any problems with this procedure, please contact us at:
    webmaster@kaspersky.com

    3. Security Rules

    To avert unsanctioned attempts to distribute false or forged email news messages under purportedly originating from Kaspersky Labs please note that real Kaspersky Labs news messages are sent only in plain text format and never include file attachments.

    If you receive an email disregarding these strict guidelines, please do not open it, but rather forward it to Kaspersky Labs technical support (support@kaspersky.com) so its contents can be examined.


    ****

    Best Regards,

    Kaspersky Labs Threats Information Department

    10 Geroyev Panfilovtsev St.,
    125363, Moscow
    Russia
    Telephone/Facsimile: +7 (095) 797 87 00
    WWW: http://www.kaspersky.com
    FTP: ftp://ftp.kaspersky.com
    Email: webmaster@kaspersky.com

    Kaspersky Labs corporate policy is to spread news of major viruses, worms, and trojans and the attacks used, and do so at no charge, because they believe that an educated public can combat evil things better. There is therefore no copyright notice in this email and subscribing is free. Kaspersky is one of my main malware info sources, and I share their desire to spread news that is real about malware so informed users can know how to tighten down their boxes. This post is made in conformance to that spirit of giving known real information with attribution plus the principle that knowledge that is practical leads to better prevention.
  • CycloniteCyclonite Tampa, Florida Icrontian
    edited June 2004
    I recently got scammed by one of the Russian buttheads through EBay. Not a good thing. I can't believe such a huge vulnerability went unnoticed for so long. *Sigh*
Sign In or Register to comment.