Malware Attack Thwarted but Danger Lurks

A Russian Web site that was being used to distribute malware programs as
part of a sophisticated attack against Microsoft IIS 5.0
servers has been taken offline by law enforcement officials.

Microsoft announced over the weekend that law enforcement officials,
working in tandem with ISPs, shut down the malicious Web site to thwart the
spread of the Download.Ject
Trojan. But experts warned that a still-unpatched flaw in the
popular Internet Explorer browser is still a major security
problem.

The software giant confirmed the attack exploited an IE vulnerability to
distribute malicious code to visitors of an affected Web site, but there was
no word on when the IE flaw would be fixed.

“The originating Web site of
attack has been taken offline. Internet Explorer customers are no longer at
risk from that particular attack source as of Thursday evening,” Microsoft
said.

However, because the IE flaw remains unpatched, there are fears in the
security sector that a new attack is inevitable. The vulnerability was first
reported on June 10 after code for “zero day exploits” targeting fully
patched systems with IE 6.0 was posted on a public discussion list.

Microsoft said IE users should install the latest security updates and
utilize high-security browser settings to mitigate the threats. The company
also said customers running Windows XP SP2 Release Candidate 2 were already
protected from the Download.Ject threat.

Download.Ject, also known as Scob, is a
Trojan
downloader that started spreading last week after unknown attackers
uploaded a small file with JavaScript to infected Web sites running
Microsoft IIS 5.0 servers. The Web server configuration was altered to
append the script to all files served by the Web server.

A user visiting an infected site with IE automatically became
infected with the JavaScript, which triggered a download from a Russian Web
site. The download included Trojan horse programs like keystroke loggers,
proxy servers and other back doors providing full access to the infected
system.

Anti-virus firm Symantec said the keystroke loggers
appear to be hijacking personal information for PayPal, eBay and other ISP
accounts.

Microsoft described Download.Ject as a “targeted manual attack by
individuals or entities” and made it clear that it was not a worm or virus
attack.

The company said its analysis, confirmed independently by ISS X-Force,
shows that IIS 5.0 Servers that have not been updated with a patch available
since April were susceptible to this attack. The MS04-011 security bulletin
that contains the IIS fix is available here.

Advisories and disinfection instructions are available from
Symantec,
F-Secure and Computer Associates.