FYI WatchGuard Security Alert

Archived from groups: (More info?)

Some people may already know this.

Duane :)


Hijacked Web Sites Spread
Trojans to IE Visitors
Severity: High
25 June, 2004


Yesterday, NetSec Inc warned of a large-scale attack they detected
spreading from numerous Web sites (including popular destinations such as
search engines, online price-comparison sites, auction sites, and
financial institution sites) to unsuspecting Internet Explorer (IE)
users. Apparently, hackers have hijacked some IIS Web servers and
injected the sites' Web pages with malicious JavaScript code. The
hijacked Web sites exploit an unpatched IE vulnerability, spreading a
malicious Trojan to any IE user visiting the sites. The malicious Trojan
can install a keystroke logger, set up a malicious proxy server, or
install a back door, giving the attacker total control of the victim's
machine. See the Solution section below to learn how to protect your
users and your IIS server from this malware.

Late yesterday, NetSec Inc. warned that they were seeing some sort of
malware spreading from IIS Web servers of certain public sites. Today, a
few more details about this attack emerged. Hackers have apparently
somehow corrupted many Web sites, including some very popular ones, and
injected malicious JavaScript code into the document footer of all the
hijacked Web sites' pages.

If any IE user visits one of these infected Web sites, he triggers the
malicious JavaScript code, which exploits an unpatched IE vulnerability
(similar to the one described here). This causes the unsuspecting IE user
to automatically download and install one of many malicious Trojans from
a Russian site. Which specific Trojan the victim receives differs from
case to case. Some of the Trojans install keystroke loggers, others
install proxy servers, and some even backdoor your computer, allowing the
attacker full access. AV vendors have named some of these Trojans Scob,
Backdoor-AXJ and VBS/Psyme.

As this issue develops, many details remain unknown, and as a result,
much of the reporting is contradictory. The problem is complicated by the
fact that it concerns two vulnerabilities: one in IIS, and one in IE. For
now, experts still don't know exactly how the hackers gained control over
the hijacked IIS servers. We still don't know whether the attackers
manually hijacked each infected IIS server or if the IIS infection is
spreading automatically via some undiscovered worm or attack bot. The IE
vulnerability has no patch available, and according to some sources,
Microsoft is not close to offering one. That means all IE users are at
risk for the foreseeable future.

Although this attack vector seems new, hackers used a similar attack
method against a large Web hosting company called Interland in 2003.

Solution Path:
For IIS Administrators:

Though no one really knows how the hijacked IIS servers first became
infected by this malware, most experts suspect that the IIS servers were
attacked using vulnerabilities corrected by Microsoft's MS04-011 security
patch, described in our April 13 Vulnerability Alert. If you haven't
already applied this patch, you should do so immediately. Administrators
who applied this patch without rebooting report that they still remained
vulnerable to attack, so make sure to reboot your server after applying
the patch.

Is your own IIS server infected? SANS's write-up on this attack lists
symptoms to look for. You should verify that your server doesn't show any
of these symptoms.

For Internet Explorer Users:

The infected Web servers use an unpatched IE exploit to deliver the
malicious Trojan. All IE users are vulnerable to this attack except the
few using the Windows XP SP2 Release Candidate 2.

However, you can adjust some of IE's security settings to prevent this
attack from succeeding. (Before you try any of the steps in this
paragraph, read it completely, since this workaround may also hamper your
experience at uninfected Web sites.) This attack uses JavaScript, so have
all your IE users disable JavaScript in IE. To do so, click Tools =>
Internet Options => Security tab. Highlight the "Internet" Zone and then
click Custom Level. Scroll down to Scripting and disable both "Active
Scripting" and "Scripting of Java Applets." Keep in mind, some legitimate
sites use Java scripting and Active Scripting in order to work properly.
For instance, an Outlook Web Access server uses Active Scripting to
display mail to your users via a browser. If you encounter a legitimate
site that you must allow your users to access, we recommend you add that
site to the "Trusted Site" list in IE (also under Tools => Internet
Options => Security tab). You can learn more about adjusting IE's
security settings here.

Many AV vendors have added signatures which detect this malicious HTML
attack and the Trojans it delivers. We recommend you update your AV
signatures to make sure you can detect and prevent these attacks.

IE users should also make sure they are up-to-date with all IE patches.
Visiting Windows Update is the easiest way to see if an individual PC is
up to date.

For WatchGuard Firebox III, X, SOHO, and Vclass Users:
IIS Attack: Since the IIS infection vector remains unclear, we don't know
if WatchGuard firewalls help. However, if the attackers use one of the
vulnerabilities corrected by MS04-011, the attack likely uses one of
Microsoft's NetBIOS ports (TCP or UDP 135, 137, 138, 139, 445). All
WatchGuard firewalls block these ports by default.

IE Trojan Download: Unfortunately, the IE flaw that allows a Trojan to
automatically download to a victim computer looks like normal HTML, so
you can't block it through your WatchGuard firewalls. However, in order
to deliver the malicious Trojan, the current exploit code redirects your
browser to IP address Adding to your
Firebox Blocked Sites list helps prevent your users from downloading the
malicious Trojans associated with this attack:

Firebox SOHO. From the SOHO Web UI, click Blocked Sites under Firewall in
the left hand navigator. Next to Host IP Address, type
and press Add. Scroll to the bottom of the page and hit Submit.
Firebox III/X. In Policy Manager, go to Setup => Intrusion Prevention =>
Blocked Sites. Click Add, type and hit OK twice.
Firebox Vclass. In Vcontroller, click on System Configuration and then
Blocked Sites. Click Add, type and hit OK.
Note that hackers this resourceful could change which server delivers the
Trojans. Though it is wise to block, doing so is not
necessarily a permanent solution to this problem.

5 answers Last reply
More about watchguard security alert
  1. Archived from groups: (More info?)

    > btw, some of the sites I read specifically recommended using Mozilla,
    > etc. for a while

    I may just go with XP's SP2 even if it's in its pre release stage, just to
    get a hold of IE. I'll need to find out what services are being shutdown
    with SP2 as I may need the service in my development work. This is going to
    be a PITA.

    Duane :)
  2. Archived from groups: (More info?)

    In article <Xns9514A99D69E2Bnotmenotmecoml@>, says...
    > Duane :)


    As I recall, the notices from WG are copywrited and can't officially be
    pushed to the public without permission. I use to post them/parts of
    them until I was sent an email by WG about asking for permission first.

    (Remove 999 to reply to me)
  3. Archived from groups: (More info?)


    Duane :)
  4. Archived from groups: (More info?)


    I got a question about the WG firmware that's on the device in it's out of
    the box state. Is it necessary to keep updating the WG like I did with the
    Linksys that doesn't have firmware upgrades for my V1 Linksys anymore?

    Duane :)
  5. Archived from groups: (More info?)

    In article <Xns951596058B07Enotmenotmecoml@>, says...
    > Hey,
    > I got a question about the WG firmware that's on the device in it's out of
    > the box state. Is it necessary to keep updating the WG like I did with the
    > Linksys that doesn't have firmware upgrades for my V1 Linksys anymore?


    When it comes to firmware updates, I almost never apply them when they
    come out - Unless it's a gaping hole in the product (since this applies
    to anything, not just firewalls) I wait a couple weeks to get feedback
    from other users.

    As for firmware, I'm running a Firebox II on firmware that's had two
    updates since I last flashed it, none of the updates apply to my

    Now, as for you, assess the update, what it can do for you, and then
    determine if you want to use it - make sure that you keep a copy of the
    old version in case you need to go back.

    (Remove 999 to reply to me)
Ask a new question

Read More

Firewalls Internet Explorer Security Networking Product