Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: New Threat

  1. #1
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    New Threat

    My local media was reporting a "Big" threat hitting the internet which involved infected Web Sites. So I hustle my butt into work to check things out. I have no high level alerts from Symantec only a note about a Category 1 virus which deals with Infected Web Sites.

    Symantec Link

    I head on over to the Internet Storm Center and they have more information:

    A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.
    Source

    I check all my systems and I see nothing going on which could be related to any of this.

    My question, are any of you seeing anything from this "Big Threat" or is this just another issue which is being over hyped by the media?

    Cheers:

    More information from SANS:

    The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked.
    The earliest reported infection was on June 20th.
    An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities.
    What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript.
    DjM

  2. #2
    Junior Member
    Join Date
    Dec 2003
    Posts
    7

    Infected IIS web servers infecting users

    Anyone have more information on the following article? Is this new?

    http://www.cnn.com/2004/TECH/interne....ap/index.html

    Snippet
    ------------
    CHICAGO, Illinois (AP) -- Government and industry experts warned late Thursday of a mysterious, large-scale Internet attack against thousands of popular Web sites. The virus-like infection tries to implant hacker software onto the computers of all Web site visitors.

    Industry experts and the Homeland Security Department were studying the infection to determine how it spreads across Web sites and find adequate defenses against it.

    "Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," the government warned in one Internet alert.

    The mysterious infection appeared to target at least one recent version of software by Microsoft Corp. to operate Web sites, called its Internet Information Server, popular among businesses and organizations.
    ------------

    Just looking for more info, detection methods, or general information.

  3. #3
    Junior Member
    Join Date
    Feb 2004
    Posts
    12
    i personaly think it is a big deal please keep us posted
    so far it looks like a bunch of big corporate web sites got hit including one of citibank servers right now no one knows how.
    they were all "patched" but these servers are dumping trogin's on visiting computers
    right now info is NOT CERTAIN!!!!! i hate posting early but this is one 2 watch.
    keep us posted
    jeremy

  4. #4
    Junior Member
    Join Date
    Dec 2003
    Posts
    7

    Found some more...

    As far as detection, the virus apparently appends some Javascript to the bottom of pages delivered by IIS 5.0.

    http://www.uscert.gov/current/curren...vity.html#iis5

    Snippet
    --------------------
    IIS 5 Web Server Compromises
    added June 24
    US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

    Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

    This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

    --------------------

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This seems to be on the front page in three or four threads.

    I posted information in this thread. The Russian web site is now offline though that will change soon probably.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Thanks Tiger, but for once, I am ahead of you on that. The address is blocked & my snort rules are updating as we speak. Are you seeing much activity?

    I also sent a note to the Mod's to see if they wanted to merge these threads.

    Cheers:
    DjM

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    DJM:

    Yep, I'm blocked and snorting..... Not seen anything yet, (1.5 hours).

    The problem with blocking it is that it's down anyway. How long do you think it will be before they re-enter the compromised web sites and change to a new address?

    Snort is the protection. One guy on the snort-sigs list turned it off because of all the false positives but no-one else seems to be seeing them so the rule should be good.

    I've checked my web sites too..... No .js except for those we put there.... but I'm keeping my eye on the sites. Hopefully the HIDS will alert me to any changes.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Threats/threads merged. Thanks for reporting, DjM.

  9. #9
    IT Specialist Ghost_25inf's Avatar
    Join Date
    Sep 2001
    Location
    Michigan
    Posts
    648
    looks to me geocities. yahoo got hit
    S25vd2xlZGdlIGlzIHBvd2VyIQ

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't know about Geocitoes but Yahoo doesn't seem to have it. Most of the home pages in my network are set for Yahoo and I haven't seen a single outbound request for the IP address of the Russian web site.

    What do you ground your statement on?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •