Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Fwd: Alert: IIS compromised to place footer JavaScript on each page

From: B3r3n <B3r3n () argosnet com>
Date: Fri, 25 Jun 2004 19:50:08 +0200
FYI


There have been several reports of IIS servers being compromised in a
similar fashion. The result is that each has a document footer specified
which is JavaScript which causes the viewing browser to load a page from
a malicious website. The loaded page installs a trojan via one of
several attack methods attempted. According to Computer Associates, at
least one of those methods remains unpatched. The malicious web page the
client was being sent is no longer available.

At this point it does not look like this is a widespread issue, but I'd
like to see what you have seen.

1. There is so far no reasonable explanation as to how the IIS servers
are being compromised. The JavaScript which loads the attacking page
checks first to see if the browser is viewing via HTTPS, and if so, then
checks to see if there is a cookie on the client machine which starts
with "trk716". If there isn't such a cookie, then the JavaScript
executes causing the malicious page to be delivered to the victim. The
cookie expires in 10 minutes.

- Check your IIS Servers and verify whether the "Enable Document Footer"
option has been enabled (inspect the Documents tab in IIS Manager for
each site, or inspect the metabase for the EnableDocFooter is set to
true.

- If Document Footers are enabled and they shouldn't be, check which
files are being specified as the footer document. If you have been
attacked you will find files named similar to "iis7#.dll" in the
\inetsrv directory. There may be one for each of your virtual
directories.

- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
machines. ftpcmd gets the agent.exe, which is subsequently executed
resulting in the metabase being modified by executing the ads.vbs with
appropriate parameters.

Questions for those of you who have been compromised:

a) Do you have an SSL certificate on any site on the compromised box?
There has been some speculation that this may have something to do with
the attack.

b) Were all of the sites on the compromised machine modified to include
a document footer? If not, is there anything unique about the ones that
were modified?

c) If you had more than one machine compromised, did you have any
similarly exposed IIS servers that weren't compromised? There is
speculation that the attack is specific to IIS 5.0.

d) Had you applied MS04-011 but not yet had the machine rebooted? A
couple of the reports from compromised machines indicated they had
applied the patch but not yet rebooted the machine. Try to be sure
whether the machine was rebooted before indicating it was "fully
patched." Please provide the details of the compromised box, its OS
version, SP level, patches applied, plus any other components which may
have been installed (e.g. Cold Fusion, etc...)

e) Can you send me a copy of the agent.exe, or whatever name it may be?
If so, please rename the extension to .ts and send it to
Russ.Cooper () TruSecure ca

f) What directory did you find the ftpcmd.txt and/or agent.exe in?

g) Check your logs for anything dated similar to the datetime of
ftpcmd.txt, let me know if you find anything suspicious.

2. The attack against the clients has been specified as being;

Microsoft - Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
Symantec - JS.Scob.Trojan
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h
tml
FSecure - Scob
http://www.f-secure.com/v-descs/scob.shtml
Computer Associates - JS.Toofer
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438

CA provides the most information so far, indicating that the trojan are
polymorphic variants of Win32.Webber. They claim the malicious web page
exploits the Modal Dialog Zone Bypass discovered earlier in June. They
also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).

Questions:

a) If you got a copy of the attacking page, can you send it to me?

b) What site served up the document footer that caused you to be sent
the malicious page?

Cheers,
Russ - NTBugtraq Editor

-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. 
-----



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: