(for more details, also see yesterday's diary:
Updates will be posted here.
UPDATE 17:26 UTC Jan 25 2004
LURHQ published a detailed analysis of the "Berbew" trojan downloaded
by this exploit. According to this analysis, the trojan will capture
passwords as use log into given e-commerce, bank or auction web
UPDATE 16:10 UTC Jun 25 2004
A reader who's web server was impacted by this attack sent us some findings from his Windows Security Event Logs. The logs showed the following sequence at the time of the incident:
- a process was created for CMD. The user name on the process was the ComputerName with a $ at the end.
- a process then was created for FTP.exe
- then for a file called agent.exe
- then mulitple instances of CSCRIPT were called
Thanks to Micheal Teff for providing this information.
Deb Hale - email@example.com
Handler on Duty
A large number of web sites, some of them quite popular, were
compromised earlier this week to distribute malicious code. The attacker
the web server configuration to append the script to all files served by
the web server. The Storm Center and others are still investigating
the method used to compromise the servers. Several server
administrators reported that they were fully patched.
site would instruct the user's browser to download an executable from
a Russian web site and install it. Different executables were
observed. These trojan horse programs include keystroke loggers, proxy
servers and other back doors providing full access to the infected
download and execute the code. No warning will be displayed. The user
does not have to click on any links. Just visiting an infected site will
trigger the exploit.
If your SERVER was compromised, you will observe:
footer, images and other documents (robots.txt, word files)
is included as a global footer and appended by the server
as they are delivered to the browser.
* You will find that the global footer is set to a new file.
* For snort signatures, see http://www.bleedingsnort.com
We do not know at this point how the affected servers have been
compromised. The SSL-PCT exploit is at the top of our list of suspects.
If you find a compromised server, we strongly recommend a complete
rebuild. You may be able to get your web site back into business by
is a likely a very sophisticated attack and you should expect other
If you visited an affected page, and your BROWSER is compromised:
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions.
Many AV vendors released new definitions as recently as last
* If you are able to monitor traffic to the infected host, you
may see attempts to contact 22.214.171.124 on port 80.
We do not have any evidence of any other target IPs being
involved at this point. However, as this ip is no longer
reachable, attackers may plant scripts that point to other
IPs in the future
FAQ's about this attack:
- Is this the first time web servers have been compromised to
No. Nimda attempted the same trick, using an older MSIE
exploit. Other attempts have been observed in the past.
This attack is special because it affects a large number
of servers and is not easily detectable.
- Will affected websites be "defaced" or otherwise altered?
No. In most cases, the web sites will look just like usual
executed, forcing the browser to connect to the Russian site.
- How can I protect my web server from becoming infected
and used as a host for the script?
Apply all necessary patches. If you find an unpatched web
server, assume it has been compromised even if you do not
see an obvious sign of an attack. Given the current threat
environment, an unpatched web server is likely to be attacked
successfully within a few hours.
- How can I protect my users from these web sites. Do you
publish a list? Should they stop browsing?
We do not provide a list of infected sites. Instead we
try to work with site administrators to have them shut down
as soon as possible. Right now, we don't know of any sites
that are still hosting the script. Given that this attack
code, we recommend that you
(*) install and maintain anti virus software
other then MSIE until the current vulnerabilities
in MSIE are patched.
Analysis of the underlying MSIE vulnerability:
! This link will trigger some warnings from AV software !
http://126.96.36.199/analysis.htm (thanks to Olivier de Jong)
Symantec writeup for js.scob.trojan:
MSIE Exploit information from Security Focus:
CHMM Vulnerability (not used here, but used by similar exploits ) : http://www.securityfocus.com/bid/9658/info/
LURHQ Berbew Analysis:
UseNet Discussion about IIS exploits:
Johannes Ullrich, jullrich_at_sans.org
Jun 25th 2004
1 decade ago