FW: Alert: IIS compromised to place footer JavaScript on each page

["Middleton, Jake T" <JMiddleton () jenner com>]

FYI

-----Original Message-----
From: Windows NTBugtraq Mailing List
[mailto:NTBUGTRAQ () LISTSERV NTBUGTRAQ COM] On Behalf Of Russ
Sent: Friday, June 25, 2004 7:32 AM
To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
Subject: Alert: IIS compromised to place footer JavaScript on each page


There have been several reports of IIS servers being compromised in a
similar fashion. The result is that each has a document footer specified
which is JavaScript which causes the viewing browser to load a page from a
malicious website. The loaded page installs a trojan via one of several
attack methods attempted. According to Computer Associates, at least one
of those methods remains unpatched. The malicious web page the client was
being sent is no longer available.

At this point it does not look like this is a widespread issue, but I'd
like to see what you have seen.

1. There is so far no reasonable explanation as to how the IIS servers are
being compromised. The JavaScript which loads the attacking page checks
first to see if the browser is viewing via HTTPS, and if so, then checks
to see if there is a cookie on the client machine which starts with
"trk716". If there isn't such a cookie, then the JavaScript executes
causing the malicious page to be delivered to the victim. The cookie
expires in 10 minutes.

- Check your IIS Servers and verify whether the "Enable Document Footer"
option has been enabled (inspect the Documents tab in IIS Manager for each
site, or inspect the metabase for the EnableDocFooter is set to true.

- If Document Footers are enabled and they shouldn't be, check which files
are being specified as the footer document. If you have been attacked you
will find files named similar to "iis7#.dll" in the \inetsrv directory.
There may be one for each of your virtual directories.

- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
machines. ftpcmd gets the agent.exe, which is subsequently executed
resulting in the metabase being modified by executing the ads.vbs with
appropriate parameters.

Questions for those of you who have been compromised:

a) Do you have an SSL certificate on any site on the compromised box?
There has been some speculation that this may have something to do with
the attack.

b) Were all of the sites on the compromised machine modified to include a
document footer? If not, is there anything unique about the ones that were
modified?

c) If you had more than one machine compromised, did you have any
similarly exposed IIS servers that weren't compromised? There is
speculation that the attack is specific to IIS 5.0.

d) Had you applied MS04-011 but not yet had the machine rebooted? A couple
of the reports from compromised machines indicated they had applied the
patch but not yet rebooted the machine. Try to be sure whether the machine
was rebooted before indicating it was "fully patched." Please provide the
details of the compromised box, its OS version, SP level, patches applied,
plus any other components which may have been installed (e.g. Cold Fusion,
etc...)

e) Can you send me a copy of the agent.exe, or whatever name it may be? If
so, please rename the extension to .ts and send it to
Russ.Cooper () TruSecure ca

f) What directory did you find the ftpcmd.txt and/or agent.exe in?

g) Check your logs for anything dated similar to the datetime of
ftpcmd.txt, let me know if you find anything suspicious.

2. The attack against the clients has been specified as being;

Microsoft - Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
Symantec - JS.Scob.Trojan
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h
tml
FSecure - Scob
http://www.f-secure.com/v-descs/scob.shtml
Computer Associates - JS.Toofer
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438

CA provides the most information so far, indicating that the trojan are
polymorphic variants of Win32.Webber. They claim the malicious web page
exploits the Modal Dialog Zone Bypass discovered earlier in June. They
also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).

Questions:

a) If you got a copy of the attacking page, can you send it to me?

b) What site served up the document footer that caused you to be sent the
malicious page?

Cheers,
Russ - NTBugtraq Editor

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured
such that just hitting reply is going to result in the message coming to
the list, not to the individual who sent the message. This was done to
help reduce the number of Out of Office messages posters received. So if
you want to send a reply just to the poster, you'll have to copy their
email address out of the message and place it in your TO: field.
-----

Attachment: smime.p7s
Description: