Download.Ject - CRITICAL Warnings related to IIS Servers
ISC has an in-depth discussion and they reflect a lot of "unknowns" also. They are looking for input as they examine whether this is possibly a ZERO-DAY ISS exploit? IIS servers that are not patched with the MS04-011 security update can become "spamware servers" injecting Ject.Download to fully patched clients that are not using "ramped up" IE security. In the second link below, Microsoft has discusses this as a CRITICAL and offers ways to manually check for infections.
Bottom line - There are still a lot of unknowns on these issues ....
RFI - Russian IIS Hacks?http://www.incidents.org/diary.php?date=2004-06-24
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above?
Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are
reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.
* * * * * *
Microsoft also warns and lists "HOW TO TELL IF YOU ARE INFECTED"
What You Should Know About Download.Jecthttp://www.microsoft.com/security/incident...nload_ject.mspx
Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.