Attack on IIS Web Sites Infects Browsers With Malicious Code

By Larry Seltzer  |  Posted 2004-06-25 Print this article Print

Updated: Security analysts say that the malicious code that has been infecting some Windows machines was planted via an IIS vulnerability on the Web servers that host some high-traffic sites. The attack uses vul

Security analysts say that the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites. Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools.
The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan thats installed on compromised machines is a fairly simple one.
"A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server," Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote in the ISCs online diary Friday. Microsoft has issued a security alert on the attack, called Download.Ject. The company says that their MS04-011 update, issued in April, addresses vulnerability to the attack on the server end. The bulletin also says that systems running Release Candidate 2 of Windows XP Service Pack 2 are not vulnerable to the client-side attack, and that other systems can be protected from downloads of malicious code by having all current critical patches installed and running Internet Explorer with its security settings at "High."

"Several server administrators reported that they were fully patched. If a user visited an infected site, the javascript delivered by the site would instruct the users browser to download an executable from a Russian web site and install it. "Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system. The javascript uses a so far unpatched vulnerability in [Internet Explorer] to download and execute the code. No warning will be displayed." Most of the compromised Web servers are running IIS 5.0, an older version of Microsoft Corp.s Web server software. Once a visitors PC is compromised, the code contacts two remote machines—one in Russia and one in the United States—and attempts to download more files to the machine. For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog. Some of the details of the attack are still unclear. For example, the client-side attack code is pulled from specific sites which appear no longer to be available. Initial reports that the attack used infected graphics files turned out to be false.

There is no current estimate on the number of infected clients or Web servers, but analysts at NetSec Inc., a managed security services provider in Herndon, Va., began seeing the attacks early Thursday morning on a number of Web sites. The only indication users may have of an infection would be an error message about a JavaScript error, but that may not appear, depending on how the attack code interacts with JavaScript on other pages, experts say. The US-CERT has issued a warning about this threat, and says that it is investigating the activity. Advisories from Symantec and Computer Associates both currently describe the attack as rare.

Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.

Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel