Summary: Microsoft is very wrong when presenting information about Download.Ject [also known as: JS.Scob.Trojan, Scob, and JS.Toofeer.]
Many media sources have also been presenting infactual information on these virii. What Is Happening: CERT advises people not to use Internet Explorer. http://www.kb.cert.org/vuls/id/713878 This issue is a vulnerability which was found being used by a spyware distributor in the wild. Many media sources are erroneously reporting this vulnerability as being the same one Microsoft speaks of in the Scob/MS.Ject attack: (from: "What You Should Know About Download.Ject) http://www.microsoft.com/security/incident/download_ject.mspx "The second is a recently discovered issue that Microsoft is currently investigating in order to provide a solution. Customers who are already following our safe browsing guidance significantly reduce their risk from this type of attack." This is patently not true. Jelmer found this issue some ten months ago. It is not the recently discovered unknown vulnerability. This is the old adodb stream issue. And it is not being used by a spyware distributor, it is being used to steal credit cards by out right trojans. BID: 10514 Previously: BID: 8577 Published Date: Aug 23, 2003 http://www.securityfocus.com/bid/10514/credit/ http://www.securityfocus.com/bid/8577 The original published paper by Jelmer: http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html For this "previously unknown vulnerability". It has been known for ten months. To be fair, I think their tech writers and marketers got confused in transmission from their IE security guys. It is extremely confusing. But, this is a major warning they are giving to all of their customers. They are a multibillion dollar company who claims security is their first priority. They need to be held to that standard. References on SCob: http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0 http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCo mpromise.pdf http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerRepor ts.pdf The original surfacing of this attack used by the same criminals in all likelihood (March 2004) -- yes, same technique as Scob, same end result to steal CC info: http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeBSD.csie.NC TU.edu.tw&output=gplain End Note: It might be noted that these attacks are not so wide spread to merit the kind of media attention they have received. However, I see this as kind of a "misplaced" new urgency, this urgency should have been there in the first place. In its' lateness we also see a lot of inaccuracy, though it might be noted these issues are rather complex and can be very confusing because of the lack of proper naming conventions and such. In other words: Big money and zero day. The connection has been made. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html