KRL

NOTE: J ava s cript is the haaaaahhaaa word

Compromised Web Sites Infect Web Surfers

(for more details, also see yesterday's diary: http://isc.sans.org/diary.php?date=2004-06-24 )
Updates will be posted here.

A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with hahahahahahahahahaha to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

If a user visited an infected site, the hahahahahahahahahaha delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.

The hahahahahahahahahaha uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.

If your SERVER was compromised, you will observe:

* All files sent by the web server will include the hahahahahahahahahaha. As the hahahahahahahahahaha is delivered by the web server as a global footer, images and other documents (robots.txt, word files) will include the hahahahahahahahahaha as well.
* The files on your server will not be altered. The hahahahahahahahahaha is included as a global footer and appended by the server as they are delivered to the browser.
* You will find that the global footer is set to a new file.
* For snort signatures, see http://www.bleedingsnort.com


We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your web site back into business by changing the footer setting and removing the hahahahahahahahahaha file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors.

If you visited an affected page, and your BROWSER is compromised:

* You may see a warning about a hahahahahahahahahaha error. But it depends on how the attack code interfers with other hahahahahahahahahaha on the respective page, and many users disable these hahahahahahahahahaha warnings.
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
* AV software will detect the hahahahahahahahahaha as 'JS.Scob.Trojan'.

FAQ's about this attack:

- Is this the first time web servers have been compromised to attack browsers?

No. Nimda attempted the same trick, using an older MSIE exploit. Other attempts have been observed in the past. This attack is special because it affects a large number of servers and is not easily detectable.

- Will affected websites be "defaced" or otherwise altered?

No. In most cases, the web sites will look just like usual to the casual browser. The infected hahahahahahahahahaha may interfere with other hahahahahahahahahaha on the respective page.

- Will the hahahahahahahahahaha attached to images be executed? No. The hahahahahahahahahaha attached to images is harmless. It's the hahahahahahahahahaha attached to the .htm or .html files that gets executed, forcing the browser to connect to the Russian site.

- How can I protect my web server from becoming infected and used as a host for the script?

Apply all necessary patches. If you find an unpatched web server, assume it has been compromised even if you do not see an obvious sign of an attack. Given the current threat environment, an unpatched web server is likely to be attacked successfully within a few hours.

- How can I protect my users from these web sites. Do you publish a list? Should they stop browsing?

We do not provide a list of infected sites. Instead we try to work with site administrators to have them shut down as soon as possible. Right now, we don't know of any sites that are still hosting the script. Given that this attack is likely going to be repeated using different hahahahahahahahahaha code, we recommend that you (*) install and maintain anti virus software (*) if possible turn off hahahahahahahahahaha, or use a browser other then MSIE until the current vulnerabilities in MSIE are patched.

Relevant Links

Analysis of the underlying MSIE vulnerability:
! This link will trigger some warnings from AV software !
http://62.131.86.111/analysis.htm (thanks to Olivier de Jong)

Symantec writeup for js.scob.trojan:
http://securityresponse.symantec.com...ob.trojan.html

MSIE Exploit information from Security Focus:
http://www.securityfocus.com/bid/10472
http://www.securityfocus.com/bid/10473
CHMM Vulnerability (not used here, but used by similar exploits ) :http://www.securityfocus.com/bid/9658/info/

F-Secure Information:
http://www.f-secure.com/weblog/
http://www.f-secure.com/v-descs/scob.shtml
http://www.f-secure.com/v-descs/padodorw.shtml

Microsoft Alert:
http://www.microsoft.com/security/in...load_ject.mspx

UseNet Discussion about IIS exploits:
http://www.derkeiler.com/Newsgroups/...4-06/0588.html

Snort Rule:
http://snort.infotex.com/cgi-bin/vie...known_IIS_Worm

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

KRL

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

KRL

How to Tell If You Are Affected



To determine if the malicious code is on your computer:


On the taskbar at the bottom of your screen, click Start, and then click Search.

Under What do you want to search for? click All files and folders.

Under All or part of the file name: enter the following text to search for both of these files:

Kk32.dll
Surf.dat

If either of these files is present, your computer may be infected. You can clean your computer by using up-to-date antivirus software, a key step in protecting your PC. You can obtain antivirus protection from the following software vendors participating in the Microsoft Virus Information Alliance:

__________________
If you would like to develop your domains, you can lease inexpensive foreign labor
from the leaders in the field at iWebmasters.com TO LOWER YOUR COSTS AND INCREASE YOUR PRODUCTION!
*** *** *** *** *** *** *** *** *** *** *** ***
Domains Adult News KRL's Newsletter Biz Tips Just Listed Domains

cool1

Thanks for the info

__________________

Juicy D. Links

KRL i am having a elite gfy sig whore meeting in FLA . Since me and you are sig whores and nothing else I would like for you to attend and help me in the seminars