Attack on IIS Web Sites Infects Browsers With Malicious Code

Updated: Security analysts say that the malicious code that has been infecting some Windows machines was planted via an IIS vulnerability on the Web servers that host some high-traffic sites. The attack uses vul

Security analysts say that the malicious code that has been infecting some Windows machines since Thursday morning was planted via an IIS (Internet Information Services) vulnerability on the Web servers that host some high-traffic sites.

Users visiting those sites have had their machines infected with a piece of code that installs a keystroke logger and other malicious tools.

The attack appears to affect only machines running Internet Explorer, and users do not have to click on any links or images in order for the code to download. The Trojan thats installed on compromised machines is a fairly simple one.

"A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server," Johannes Ullrich, a handler at the Internet Storm Center at The SANS Institute in Bethesda, Md., wrote in the ISCs online diary Friday.

Microsoft has issued a security alert on the attack, called Download.Ject. The company says that their MS04-011 update, issued in April, addresses vulnerability to the attack on the server end. The bulletin also says that systems running Release Candidate 2 of Windows XP Service Pack 2 are not vulnerable to the client-side attack, and that other systems can be protected from downloads of malicious code by having all current critical patches installed and running Internet Explorer with its security settings at "High."

"Several server administrators reported that they were fully patched. If a user visited an infected site, the javascript delivered by the site would instruct the users browser to download an executable from a Russian web site and install it.

"Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system. The javascript uses a so far unpatched vulnerability in [Internet Explorer] to download and execute the code. No warning will be displayed."

Most of the compromised Web servers are running IIS 5.0, an older version of Microsoft Corp.s Web server software. Once a visitors PC is compromised, the code contacts two remote machines—one in Russia and one in the United States—and attempts to download more files to the machine.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Some of the details of the attack are still unclear. For example, the client-side attack code is pulled from specific sites which appear no longer to be available. Initial reports that the attack used infected graphics files turned out to be false.

There is no current estimate on the number of infected clients or Web servers, but analysts at NetSec Inc., a managed security services provider in Herndon, Va., began seeing the attacks early Thursday morning on a number of Web sites. The only indication users may have of an infection would be an error message about a JavaScript error, but that may not appear, depending on how the attack code interacts with JavaScript on other pages, experts say.

The US-CERT has issued a warning about this threat, and says that it is investigating the activity. Advisories from Symantec and Computer Associates both currently describe the attack as rare.


Check out eWEEK.coms Security Center at for the latest security news, reviews and analysis.


Be sure to add our developer and Web services news feed to your RSS newsreader or My Yahoo page