Information Technology Services: Alerts Archive

ALARM Group ALERTclick for a description of ALARM, The Computing Alert System
Alert Number:  062504-01
Alert Date:  06/25/04

Alert Title:  IIS/IE Exploit Attack
Update-to:  none
OS/Platform/Application:  This attack is hitting both IIS servers and MSIE Browser Clients. Vulnerable entities include: Microsoft Internet Information Services (IIS) 5.0 (possibly others as well) and Microsoft Internet Explorer (all versions may be vulnerable) on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP.
Category:  ALERT
Severity:  HIGH
Attention:  Windows System Administrators, Desktop Support Personnel

Summary:  Various security resources are reporting the spread of a new server-browser attack. An unknown number of websites have apparently been compromised to append a small javascript file to all files served by the web server. The commands contained within this file take advantage of an unpatched vulnerability in Internet Explorer that allows the client browser to download and execute code without the knowledge or consent of the user. Any visitors to a compromised website will therefore attempt to automatically download and execute various keyloggers, proxy servers or other elements of system takeover/control from a Russian website. The method of infection for web servers is as-of-yet unclear; in some cases, fully patched servers (some behind firewalls) appear to have been compromised.

Recommended Actions:  Many AntiVirus Software providers have updated their definitions within the last 24 hours to include data relevant to this exploit; The latest Symantec definitions are believed to be effective at catching this infection (referenced as the "JS.Scob" Trojan). Update your Anti-virus software definitions to the latest version IMMEDIATELY. Please verify that your workstations and servers are up-to-date with the necessary patch(es) from Microsoft (especially those addressed by Microsoft Security Bulletin MS04-011). IIS Server managers should check for the presence of compromises using any relevant methods listed below in the resources links. Disabling JavaScript on IE Browsers will prevent infection but this action is left at the discretion of the system administrator since JavaScript is linked to the appearance and functionality of many websites and web-based applications.

ITS Actions:  ITS may block IP access to the Russian website in an attempt to block the download of the trojan horse executables. An update will be issued if this blockage is put into place.

Resources:
http://www.incidents.org/diary.php?date=2004-06-25

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html

http://www.uscert.gov/current/current_activity.html#iis5  (see "IIS 5 Web Server Compromises")

http://www.f-secure.com/v-descs/scob.shtml

http://www.microsoft.com/security/incident/download_ject.mspx

http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&threadm=e98ace9e.0406232353.2fe49ee1%40posting.google.com&prev=/groups%3Fq%3Dmicrosoft.public.inetserver.iis.security%26ie%3DUTF-8%26hl%3Den%26btnG%3DGoogle%2BSearch

NOTE:  PLEASE DO NOT REPLY TO THIS ALERT.  Alerts distributed by ALARM are not intended to supplant whatever security measures you are currently following. Technology coordinators, as well as the entire Ualbany computing community should continue to take all necessary precautions against threats to system security and information integrity.

Current Students  |  New Students  |  Distance Learners  |  Faculty  |  New Faculty  |  Staff
Training  |  Schedules / Hours  |  Forms  |  FAQs & User Guides  |  Policies  |  About ITS  |  Home

University at Albany homepage