Archived from groups: comp.security.firewalls (More info?)
Some people may already know this.
Duane
<snip>
Hijacked Web Sites Spread
Trojans to IE Visitors
Severity: High
25 June, 2004
Summary:
Yesterday, NetSec Inc warned of a large-scale attack they detected
spreading from numerous Web sites (including popular destinations such as
search engines, online price-comparison sites, auction sites, and
financial institution sites) to unsuspecting Internet Explorer (IE)
users. Apparently, hackers have hijacked some IIS Web servers and
injected the sites' Web pages with malicious JavaScript code. The
hijacked Web sites exploit an unpatched IE vulnerability, spreading a
malicious Trojan to any IE user visiting the sites. The malicious Trojan
can install a keystroke logger, set up a malicious proxy server, or
install a back door, giving the attacker total control of the victim's
machine. See the Solution section below to learn how to protect your
users and your IIS server from this malware.
Exposure:
Late yesterday, NetSec Inc. warned that they were seeing some sort of
malware spreading from IIS Web servers of certain public sites. Today, a
few more details about this attack emerged. Hackers have apparently
somehow corrupted many Web sites, including some very popular ones, and
injected malicious JavaScript code into the document footer of all the
hijacked Web sites' pages.
If any IE user visits one of these infected Web sites, he triggers the
malicious JavaScript code, which exploits an unpatched IE vulnerability
(similar to the one described here). This causes the unsuspecting IE user
to automatically download and install one of many malicious Trojans from
a Russian site. Which specific Trojan the victim receives differs from
case to case. Some of the Trojans install keystroke loggers, others
install proxy servers, and some even backdoor your computer, allowing the
attacker full access. AV vendors have named some of these Trojans Scob,
Backdoor-AXJ and VBS/Psyme.
As this issue develops, many details remain unknown, and as a result,
much of the reporting is contradictory. The problem is complicated by the
fact that it concerns two vulnerabilities: one in IIS, and one in IE. For
now, experts still don't know exactly how the hackers gained control over
the hijacked IIS servers. We still don't know whether the attackers
manually hijacked each infected IIS server or if the IIS infection is
spreading automatically via some undiscovered worm or attack bot. The IE
vulnerability has no patch available, and according to some sources,
Microsoft is not close to offering one. That means all IE users are at
risk for the foreseeable future.
Although this attack vector seems new, hackers used a similar attack
method against a large Web hosting company called Interland in 2003.
Solution Path:
For IIS Administrators:
Though no one really knows how the hijacked IIS servers first became
infected by this malware, most experts suspect that the IIS servers were
attacked using vulnerabilities corrected by Microsoft's MS04-011 security
patch, described in our April 13 Vulnerability Alert. If you haven't
already applied this patch, you should do so immediately. Administrators
who applied this patch without rebooting report that they still remained
vulnerable to attack, so make sure to reboot your server after applying
the patch.
Is your own IIS server infected? SANS's write-up on this attack lists
symptoms to look for. You should verify that your server doesn't show any
of these symptoms.
For Internet Explorer Users:
The infected Web servers use an unpatched IE exploit to deliver the
malicious Trojan. All IE users are vulnerable to this attack except the
few using the Windows XP SP2 Release Candidate 2.
However, you can adjust some of IE's security settings to prevent this
attack from succeeding. (Before you try any of the steps in this
paragraph, read it completely, since this workaround may also hamper your
experience at uninfected Web sites.) This attack uses JavaScript, so have
all your IE users disable JavaScript in IE. To do so, click Tools =>
Internet Options => Security tab. Highlight the "Internet" Zone and then
click Custom Level. Scroll down to Scripting and disable both "Active
Scripting" and "Scripting of Java Applets." Keep in mind, some legitimate
sites use Java scripting and Active Scripting in order to work properly.
For instance, an Outlook Web Access server uses Active Scripting to
display mail to your users via a browser. If you encounter a legitimate
site that you must allow your users to access, we recommend you add that
site to the "Trusted Site" list in IE (also under Tools => Internet
Options => Security tab). You can learn more about adjusting IE's
security settings here.
Many AV vendors have added signatures which detect this malicious HTML
attack and the Trojans it delivers. We recommend you update your AV
signatures to make sure you can detect and prevent these attacks.
IE users should also make sure they are up-to-date with all IE patches.
Visiting Windows Update is the easiest way to see if an individual PC is
up to date.
For WatchGuard Firebox III, X, SOHO, and Vclass Users:
IIS Attack: Since the IIS infection vector remains unclear, we don't know
if WatchGuard firewalls help. However, if the attackers use one of the
vulnerabilities corrected by MS04-011, the attack likely uses one of
Microsoft's NetBIOS ports (TCP or UDP 135, 137, 138, 139, 445). All
WatchGuard firewalls block these ports by default.
IE Trojan Download: Unfortunately, the IE flaw that allows a Trojan to
automatically download to a victim computer looks like normal HTML, so
you can't block it through your WatchGuard firewalls. However, in order
to deliver the malicious Trojan, the current exploit code redirects your
browser to IP address 217.107.218.147. Adding 217.107.218.147 to your
Firebox Blocked Sites list helps prevent your users from downloading the
malicious Trojans associated with this attack:
Firebox SOHO. From the SOHO Web UI, click Blocked Sites under Firewall in
the left hand navigator. Next to Host IP Address, type 217.107.218.147
and press Add. Scroll to the bottom of the page and hit Submit.
Firebox III/X. In Policy Manager, go to Setup => Intrusion Prevention =>
Blocked Sites. Click Add, type 217.107.218.147 and hit OK twice.
Firebox Vclass. In Vcontroller, click on System Configuration and then
Blocked Sites. Click Add, type 217.107.218.147 and hit OK.
Note that hackers this resourceful could change which server delivers the
Trojans. Though it is wise to block 217.107.218.147, doing so is not
necessarily a permanent solution to this problem.
<snip>
Some people may already know this.
Duane
<snip>
Hijacked Web Sites Spread
Trojans to IE Visitors
Severity: High
25 June, 2004
Summary:
Yesterday, NetSec Inc warned of a large-scale attack they detected
spreading from numerous Web sites (including popular destinations such as
search engines, online price-comparison sites, auction sites, and
financial institution sites) to unsuspecting Internet Explorer (IE)
users. Apparently, hackers have hijacked some IIS Web servers and
injected the sites' Web pages with malicious JavaScript code. The
hijacked Web sites exploit an unpatched IE vulnerability, spreading a
malicious Trojan to any IE user visiting the sites. The malicious Trojan
can install a keystroke logger, set up a malicious proxy server, or
install a back door, giving the attacker total control of the victim's
machine. See the Solution section below to learn how to protect your
users and your IIS server from this malware.
Exposure:
Late yesterday, NetSec Inc. warned that they were seeing some sort of
malware spreading from IIS Web servers of certain public sites. Today, a
few more details about this attack emerged. Hackers have apparently
somehow corrupted many Web sites, including some very popular ones, and
injected malicious JavaScript code into the document footer of all the
hijacked Web sites' pages.
If any IE user visits one of these infected Web sites, he triggers the
malicious JavaScript code, which exploits an unpatched IE vulnerability
(similar to the one described here). This causes the unsuspecting IE user
to automatically download and install one of many malicious Trojans from
a Russian site. Which specific Trojan the victim receives differs from
case to case. Some of the Trojans install keystroke loggers, others
install proxy servers, and some even backdoor your computer, allowing the
attacker full access. AV vendors have named some of these Trojans Scob,
Backdoor-AXJ and VBS/Psyme.
As this issue develops, many details remain unknown, and as a result,
much of the reporting is contradictory. The problem is complicated by the
fact that it concerns two vulnerabilities: one in IIS, and one in IE. For
now, experts still don't know exactly how the hackers gained control over
the hijacked IIS servers. We still don't know whether the attackers
manually hijacked each infected IIS server or if the IIS infection is
spreading automatically via some undiscovered worm or attack bot. The IE
vulnerability has no patch available, and according to some sources,
Microsoft is not close to offering one. That means all IE users are at
risk for the foreseeable future.
Although this attack vector seems new, hackers used a similar attack
method against a large Web hosting company called Interland in 2003.
Solution Path:
For IIS Administrators:
Though no one really knows how the hijacked IIS servers first became
infected by this malware, most experts suspect that the IIS servers were
attacked using vulnerabilities corrected by Microsoft's MS04-011 security
patch, described in our April 13 Vulnerability Alert. If you haven't
already applied this patch, you should do so immediately. Administrators
who applied this patch without rebooting report that they still remained
vulnerable to attack, so make sure to reboot your server after applying
the patch.
Is your own IIS server infected? SANS's write-up on this attack lists
symptoms to look for. You should verify that your server doesn't show any
of these symptoms.
For Internet Explorer Users:
The infected Web servers use an unpatched IE exploit to deliver the
malicious Trojan. All IE users are vulnerable to this attack except the
few using the Windows XP SP2 Release Candidate 2.
However, you can adjust some of IE's security settings to prevent this
attack from succeeding. (Before you try any of the steps in this
paragraph, read it completely, since this workaround may also hamper your
experience at uninfected Web sites.) This attack uses JavaScript, so have
all your IE users disable JavaScript in IE. To do so, click Tools =>
Internet Options => Security tab. Highlight the "Internet" Zone and then
click Custom Level. Scroll down to Scripting and disable both "Active
Scripting" and "Scripting of Java Applets." Keep in mind, some legitimate
sites use Java scripting and Active Scripting in order to work properly.
For instance, an Outlook Web Access server uses Active Scripting to
display mail to your users via a browser. If you encounter a legitimate
site that you must allow your users to access, we recommend you add that
site to the "Trusted Site" list in IE (also under Tools => Internet
Options => Security tab). You can learn more about adjusting IE's
security settings here.
Many AV vendors have added signatures which detect this malicious HTML
attack and the Trojans it delivers. We recommend you update your AV
signatures to make sure you can detect and prevent these attacks.
IE users should also make sure they are up-to-date with all IE patches.
Visiting Windows Update is the easiest way to see if an individual PC is
up to date.
For WatchGuard Firebox III, X, SOHO, and Vclass Users:
IIS Attack: Since the IIS infection vector remains unclear, we don't know
if WatchGuard firewalls help. However, if the attackers use one of the
vulnerabilities corrected by MS04-011, the attack likely uses one of
Microsoft's NetBIOS ports (TCP or UDP 135, 137, 138, 139, 445). All
WatchGuard firewalls block these ports by default.
IE Trojan Download: Unfortunately, the IE flaw that allows a Trojan to
automatically download to a victim computer looks like normal HTML, so
you can't block it through your WatchGuard firewalls. However, in order
to deliver the malicious Trojan, the current exploit code redirects your
browser to IP address 217.107.218.147. Adding 217.107.218.147 to your
Firebox Blocked Sites list helps prevent your users from downloading the
malicious Trojans associated with this attack:
Firebox SOHO. From the SOHO Web UI, click Blocked Sites under Firewall in
the left hand navigator. Next to Host IP Address, type 217.107.218.147
and press Add. Scroll to the bottom of the page and hit Submit.
Firebox III/X. In Policy Manager, go to Setup => Intrusion Prevention =>
Blocked Sites. Click Add, type 217.107.218.147 and hit OK twice.
Firebox Vclass. In Vcontroller, click on System Configuration and then
Blocked Sites. Click Add, type 217.107.218.147 and hit OK.
Note that hackers this resourceful could change which server delivers the
Trojans. Though it is wise to block 217.107.218.147, doing so is not
necessarily a permanent solution to this problem.
<snip>
Facebook
Twitter
Instagram