6 replies to this topic

[AplusWebMaster]

FYI...from the Internet Storm Center:

- http://isc.sans.org/...date=2004-06-24
Updated June 25th 2004 01:27 UTC
"RFI - Russian IIS Hacks?
UPDATE (2100 UTC) - Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome.
The reason for the attack seems to point back to the spamming community. There is quite a bit of evidence that what we are seeing is yet another technique for spreading and installing "spamware" (software that assists in either creating, relaying, proxying, or otherwise participating in the sending of spam.) We don't see any evidence that this attack is related to the construction of a DDoS network or other type of typical zombie-based attack group. However, we continue to monitor and will provide updates if anything further develops...
[original diary entry follows]
A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security ***) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number...
The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it."

Also (may be related) >>> Corporate Web servers infecting visitors' PCs
- http://news.com.com/...g=st.util.print
June 24, 2004, 6:35 PM PDT
"...The Internet Storm Center, which monitors Net threats, confirmed that the list of infected sites included some large Web properties. "We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched," the group stated on its Web site. The group also pointed out that the malicious program uploaded to a victim's computer is not currently detected as a virus by most antivirus software. With no patch from Microsoft, that leaves Internet Explorer users vulnerable. A representative of the software giant was not immediately available for comment on when a patch might be available..."

***
- http://www.microsoft...y&lang=en&cr=US

Edited by apluswebmaster, 25 June 2004 - 03:22 AM.

[AplusWebMaster]

FYI...

IIS 5 Web Server Compromises
- http://www.us-cert.g...ivity.html#iis5
added June 24
"US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
- Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
- This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code..."

[AplusWebMaster]

FYI...from the Internet Storm Center:

Compromised Web Sites Infect Web Surfers
- http://isc.sans.org/...date=2004-06-25
Updated June 25th 2004 14:11 UTC
"...A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.
- If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.
- The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit..."

>>> For further information, visit the URL in this post, and there -is- alot more.

[AplusWebMaster]

More info:

- http://www.f-secure.com/weblog/
00:56 GMT
"...We are investigating a case called "RFI - Russian IIS Hacks?"...

12:04 GMT
"...Microsoft published an update on the Scob (aka Download.Ject) case..."

>>> http://www.microsoft...nload_ject.mspx
Updated June 25, 2004 12:35 A.M. Pacific Time
"Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows..."

(For more information, visit the MS URL in this post --^, and there -is- alot more)

[AplusWebMaster]

FYI...

- http://isc.sans.org/...date=2004-06-25
Compromised Web Sites Infect Web Surfers
(for more details, also see yesterday's diary:
- http://isc.sans.org/...date=2004-06-24 )
"UPDATE 17:26 UTC Jan 25 2004
LURHQ published a detailed analysis of the "Berbew" trojan downloaded by this exploit. According to this analysis, the trojan will capture passwords as use log into given e-commerce, bank or auction web sites..."

- http://www.lurhq.com/berbew.html
June 25, 2004
"...The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background...The trojan appears to be designed for the purposes of "phishing", that is, stealing financial and other account details from the infected user..."

[AplusWebMaster]

FYI...

-aka-
JS.Scob.Trojan
- http://www.sarc.com/...cob.trojan.html
"...The Trojan's dropper sets it as the document footer for all pages served by IIS Web sites on the infected computer..."
(FYI...reference graphic image shown)


.

[AplusWebMaster]

Correction:

Although related (possibly same author and target), the JS.Scob.Trojan and the Berbew trojan are two different items of malware:

JS.Scob.Trojan
- http://www.sarc.com/...cob.trojan.html

This is but one of several Berbew variaints:
- http://www.sarc.com/...r.berbew.g.html

.