RealTime IT News

Malware Attack Thwarted but Danger Lurks

A Russian Web site that was being used to distribute malware programs as part of a sophisticated attack against Microsoft IIS 5.0 servers has been taken offline by law enforcement officials.

Microsoft announced over the weekend that law enforcement officials, working in tandem with ISPs, shut down the malicious Web site to thwart the spread of the Download.Ject Trojan. But experts warned that a still-unpatched flaw in the popular Internet Explorer browser is still a major security problem.

The software giant confirmed the attack exploited an IE vulnerability to distribute malicious code to visitors of an affected Web site, but there was no word on when the IE flaw would be fixed.

"The originating Web site of attack has been taken offline. Internet Explorer customers are no longer at risk from that particular attack source as of Thursday evening," Microsoft said.

However, because the IE flaw remains unpatched, there are fears in the security sector that a new attack is inevitable. The vulnerability was first reported on June 10 after code for "zero day exploits" targeting fully patched systems with IE 6.0 was posted on a public discussion list.

Microsoft said IE users should install the latest security updates and utilize high-security browser settings to mitigate the threats. The company also said customers running Windows XP SP2 Release Candidate 2 were already protected from the Download.Ject threat.

Download.Ject, also known as Scob, is a Trojan downloader that started spreading last week after unknown attackers uploaded a small file with JavaScript to infected Web sites running Microsoft IIS 5.0 servers. The Web server configuration was altered to append the script to all files served by the Web server.

A user visiting an infected site with IE automatically became infected with the JavaScript, which triggered a download from a Russian Web site. The download included Trojan horse programs like keystroke loggers, proxy servers and other back doors providing full access to the infected system.

Anti-virus firm Symantec said the keystroke loggers appear to be hijacking personal information for PayPal, eBay and other ISP accounts.

Microsoft described Download.Ject as a "targeted manual attack by individuals or entities" and made it clear that it was not a worm or virus attack.

The company said its analysis, confirmed independently by ISS X-Force, shows that IIS 5.0 Servers that have not been updated with a patch available since April were susceptible to this attack. The MS04-011 security bulletin that contains the IIS fix is available here.

Advisories and disinfection instructions are available from Symantec, F-Secure and Computer Associates.