Source: http://www.eweek.com/article2/0,1759,1617046,00.asp
When visitors to a few particular Web sites—including popular auction, shopping and price-comparison sites—request pages that include the malicious graphics, the code automatically downloads itself onto their machines. Once installed, the code unpacks itself and loads a keystroke logger on the PC.
NetSec officials said the attack seems to exploit a vulnerability in Internet Explorer.
The code then forces the machine to contact two IP addresses—one in Russia and one in the United States. The Russian site is hosted on a broadband connection and is part of a network known for spamming and other transgressions.
Link: http://isc.sans.org/diary.php?date=2004-06-24
UPDATE - Several readers have responded and confirmed that this is a wide-spread issue. Here is what we know so far:
- An IIS server's configuration is somehow modified so that "enable document footer" is enabled for various (if not all) files and linked to the new .dll file(s) in \winnt\system32\inetsrv. This might be done with the help of a program called agent.exe installed via one of the multiple known IIS vulnerabilities. (Thanks, Patrick and Ben!)
- When a visitor browses the site, all of the objects with their properties set to "enable document footer" are sent to the client browser with the JavaScript appended to the end of the file. If the visitor is running an updated version of AV software, the modified files (which include images as well as .html) are detected as being infected.
- The visitor's browser is re-directed to the Russian URL listed below where a known Trojan program (msits.exe) is downloaded, along with some additional malware. Again, if the user's machine is updated with current AV software, this malware is detected and blocked. (Thanks, Michael!)
- The earliest reported infection was on June 20th (four days ago).
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody's findings?)
Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.
[original diary entry follows]
A reader pointed us to an IIS discussion group (microsoft.public.inetserver.iis.security) where several IIS administrators discovered some strange .dll files on their web servers in the past 24 hours. According to the discussion on that list, they are all 1kb .dll files. They were deposited in the \winnt\system32\inetsrv directory with names like iis7xy.dll where x is a random number that appears to be between 1-3 and y is a random character or number.
The .dll's contain JavaScript similar to the string below. I've intentionally added some spacing to defang it a bit:
... code snipped out ...
There are other reports in the past 24 hours indicating that this JavaScript has been seen appended to text files and other file types.
The Storm Center would like to know if others are seeing this phenomena and if there are any ideas about it origin or intent (other than being an attempt to download malware - that's obvious.) The IP address in the JavaScript points to a Russian site, and at the time of this writing it is still active. A note of caution - that site will attempt to insert malicious code onto a visiting machine. Use extreme caution if you decide to visit it.
Marcus H. Sachs
Handler on Duty
(Hat tip: IIS5 mailing list from iislists.com)
Source: http://www.wired.com/news/business/0,1367,63962,00.html
Florida state officials are considering taxing home networks that have more than one computer, under a modified 1985 state law that was intended to tax the few businesses that used internal communication networks instead of the local telephone company.
Officials from Florida's Department of Revenue held a meeting on Tuesday to see whether the law would apply to wired households, and exactly who would be taxed. About 200 people attended, including community and business representatives.