RFI - Russian IIS Hacks? (Hot off SANS Diary)
Link: http://isc.sans.org/diary.php?date=2004-06-24
UPDATE - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:
- An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities. (Thanks, Patrick and Ben!)
- When a visitor browses the site, all of the objects with their properties set to "enable document footer" are sent to the client browser with the JavaScript appended to the end of the file. If the visitor is running an updated version of AV software, the modified files (which include images as well as .html) are detected as being infected.
- The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked. (Thanks, Michael!)
- The earliest reported infection was on June 20th (four days ago).
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody's findings?)
Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.
[original diary entry follows]
A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number.
The .dll's contain JavaScript similar to the string below. I've intentionally added some spacing to defang it a bit:
... code snipped out ...
There are other reports in the past 24 hours indicating that this JavaScript has been seen appended to text files and other file types.
The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it.
Marcus H. Sachs
Handler on Duty
(Hat tip: IIS5 mailing list from iislists.com)