-
June 25th, 2004, 03:24 PM
#1
New Threat
My local media was reporting a "Big" threat hitting the internet which involved infected Web Sites. So I hustle my butt into work to check things out. I have no high level alerts from Symantec only a note about a Category 1 virus which deals with Infected Web Sites.
Symantec Link
I head on over to the Internet Storm Center and they have more information:
A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.
Source
I check all my systems and I see nothing going on which could be related to any of this.
My question, are any of you seeing anything from this "Big Threat" or is this just another issue which is being over hyped by the media?
Cheers:
More information from SANS:
The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked.
The earliest reported infection was on June 20th.
An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities.
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript.
-
June 25th, 2004, 03:58 PM
#2
Junior Member
Infected IIS web servers infecting users
Anyone have more information on the following article? Is this new?
http://www.cnn.com/2004/TECH/interne....ap/index.html
Snippet
------------
CHICAGO, Illinois (AP) -- Government and industry experts warned late Thursday of a mysterious, large-scale Internet attack against thousands of popular Web sites. The virus-like infection tries to implant hacker software onto the computers of all Web site visitors.
Industry experts and the Homeland Security Department were studying the infection to determine how it spreads across Web sites and find adequate defenses against it.
"Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," the government warned in one Internet alert.
The mysterious infection appeared to target at least one recent version of software by Microsoft Corp. to operate Web sites, called its Internet Information Server, popular among businesses and organizations.
------------
Just looking for more info, detection methods, or general information.
-
June 25th, 2004, 04:01 PM
#3
Junior Member
i personaly think it is a big deal please keep us posted
so far it looks like a bunch of big corporate web sites got hit including one of citibank servers right now no one knows how.
they were all "patched" but these servers are dumping trogin's on visiting computers
right now info is NOT CERTAIN!!!!! i hate posting early but this is one 2 watch.
keep us posted
jeremy
-
June 25th, 2004, 04:06 PM
#4
Junior Member
Found some more...
As far as detection, the virus apparently appends some Javascript to the bottom of pages delivered by IIS 5.0.
http://www.uscert.gov/current/curren...vity.html#iis5
Snippet
--------------------
IIS 5 Web Server Compromises
added June 24
US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.
Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.
This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.
--------------------
-
June 25th, 2004, 04:16 PM
#5
This seems to be on the front page in three or four threads.
I posted information in this thread. The Russian web site is now offline though that will change soon probably.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 25th, 2004, 04:21 PM
#6
Thanks Tiger, but for once, I am ahead of you on that. The address is blocked & my snort rules are updating as we speak. Are you seeing much activity?
I also sent a note to the Mod's to see if they wanted to merge these threads.
Cheers:
-
June 25th, 2004, 04:27 PM
#7
DJM:
Yep, I'm blocked and snorting..... Not seen anything yet, (1.5 hours).
The problem with blocking it is that it's down anyway. How long do you think it will be before they re-enter the compromised web sites and change to a new address?
Snort is the protection. One guy on the snort-sigs list turned it off because of all the false positives but no-one else seems to be seeing them so the rule should be good.
I've checked my web sites too..... No .js except for those we put there.... but I'm keeping my eye on the sites. Hopefully the HIDS will alert me to any changes.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
June 25th, 2004, 06:42 PM
#8
Threats/threads merged. Thanks for reporting, DjM.
-
June 25th, 2004, 07:18 PM
#9
looks to me geocities. yahoo got hit
S25vd2xlZGdlIGlzIHBvd2VyIQ
-
June 25th, 2004, 07:30 PM
#10
I don't know about Geocitoes but Yahoo doesn't seem to have it. Most of the home pages in my network are set for Yahoo and I haven't seen a single outbound request for the IP address of the Russian web site.
What do you ground your statement on?
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|