Download.Ject - CRITICAL Warnings related to IIS Servers

ISC has an in-depth discussion and they reflect a lot of "unknowns" also. They are looking for input as they examine whether this is possibly a ZERO-DAY ISS exploit? IIS servers that are not patched with the MS04-011 security update can become "spamware servers" injecting Ject.Download to fully patched clients that are not using "ramped up" IE security. In the second link below, Microsoft has discusses this as a CRITICAL and offers ways to manually check for infections.

Bottom line - There are still a lot of unknowns on these issues ....


RFI - Russian IIS Hacks?
http://www.incidents.org/diary.php?date=2004-06-24

What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above?

Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are
reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.

* * * * * *

Microsoft also warns and lists "HOW TO TELL IF YOU ARE INFECTED"

What You Should Know About Download.Ject
http://www.microsoft.com/security/incident...nload_ject.mspx

Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.

More information is summarized below. The 1st link below from the Internet Storm Center (June 25) is one of the most informative links).

Internet Storm Center Reports
http://isc.sans.org/diary.php?date=2004-06-25
http://isc.sans.org/diary.php?date=2004-06-24

Microsoft - What You Should Know About Download.Ject
http://www.microsoft.com/security/incident...nload_ject.mspx

Articles
http://www.theregister.co.uk/2004/06/25/virus_hits_websites/
http://www.cnn.com/2004/TECH/internet/06/2...k.ap/index.html
http://zdnet.com.com/2100-1105_2-5247187.html
http://techrepublic.com.com/5100-22_11-5247671.html
http://www.heise.de/security/news/meldung/48589
http://www.uscert.gov/current/current_activity.html
http://securityfocus.com/news/8982
http://securityfocus.com/news/8983

AV Links
http://secunia.com/virus_information/10264/scob/
http://www.sarc.com/avcenter/venc/data/js.scob.trojan.html
http://vil.nai.com/vil/content/v_100488.htm
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=39438
http://www.f-secure.com/v-descs/scob.shtml


Signs your SERVER was compromised

* All files sent by the web server will include the javascript. As the javascript is delivered by the web server as a global footer, images and other documents (robots.txt, word files) will include the javascript as well.
* The files on your server will not be altered. The javascript is included as a global footer and appended by the server as they are delivered to the browser.
* You will find that the global footer is set to a new file.
* For snort signatures, see http://www.bleedingsnort.com

We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your web site back into business by changing the footer setting and removing the javascript file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors.

Signs Internet Explorer is compromised

* You may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
* AV software will detect the javascript as 'JS.Scob.Trojan'.

Ject/Scob Attack: IWAP_WWW account on IIS servers
http://www.incidents.org/diary.php?date=2004-06-28

We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username IWAP_WWW added. Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find and administrator account with this username.