HOME > INCIDENT NOTES


   INCIDENT NOTES

CERT-In Incident Note CIIN-2004-08

Attacks on IIS Servers using malicious Java Scripts

Original Issue Date: Jun 27, 2004
Updated on: July 03, 2004

Severity: Medium

Systems Affected:

• IIS 5
• Windows 2000
• Windows XP
• Windows Server 2003
• Windows Me
• Windows 98
• Windows 95
• Windows NT

Overview

Microsoft has reported that a security issue known as Download.Ject is affecting customers using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer, components of Windows. This malicious code is also known as JS.Scob.Trojan, Scob, and JS.Toofer.

Impact

  • Compromised sites are appending malicious Java script to the end of web pages.
  • On accessing infected websites the java script gets executed at client machine.
  • When the script is executed it tries to access malicious file hosted on another server that
    can affect the user system.

Description

Web servers running Windows 2000 Server and IIS that have not applied patches mentioned in Microsoft Security Bulletin MS04-011 described in CERT-In Advisory CIAD-2004-10 are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code.

Antivirus vendors reported that a Trojan dropper known as Trojan.Scob!dr drops a VBScript file named ads.vbs in the current folder, which is not detected since it is the name of IIS web server utility. Further it drops a file named iisXXX.dll in the system directory and the web server gets configured to use this file as footer. (Here XXX is a Hexadecimal number). The appended files contain JavaScript and are reported to be detected as JS.Scob.Trojan!inf. This footer contains code that directs visitors to a remote web server that contains malicious JavaScripts.

Symptoms

Document footer is enabled on websites on IIS server and path to the
document footer file points to a file that has a name that is similar to
%Systemroot%\Winnt\System32\Inetsrv\Iis<3random digits>.dll.
Presence of files Adv.vbs or Agent.exe or Ftpcmd.text in System32 folder
Presence of files of type iis<3 random digits>.dll in the folder
%Systemroot%\System32\inetsrv

Solution

System Administrators using IIS Server on Windows 2000

Apply appropriate patches as mentioned in CERT-In Advisory CIAD-2004-10 and Microsoft Security Bulletin MS04-011 .
If server is compromised, Microsoft recommended to rebuild the server. To manually remove the files those are part of the compromise:
(a) After installing the security update, delete the following files:

%windir%\System32\Adv.vbs
%windir%\System32\Ftpcmd.txt
%windir%\System32\Agent.exe
%windir%\System32\Ads.vbs
%windir%\System32\Inetsrv\Iis<3 random digits>.dll

(b) Remove the document footer by the procedure given in Microsoft KB article 871277 .

Users

Apply latest updates from windows update website.
Search for files Kk32.dll and Surf.dat and if these files are found clean the system using antivirus utilities.
Increase the browser security as outlined in Microsoft article
http://www.microsoft.com/security/incident/settings.mspx
Maintain up-to-date antivirus software.
NOTE:

Microsoft has released a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address above mentioned malicious attacks.This update is available at
http://windowsupdate.microsoft.com

Details regarding this update can be found at:
http://support.microsoft.com/default.aspx?kbid=870669

References

Microsoft
http://www.microsoft.com/security/incident/download_ject.mspx

http://support.microsoft.com/?kbid=871277

http://support.microsoft.com/default.aspx?scid=kb;en-us;833633

US-CERT
http://www.us-cert.gov/current/current_activity.html#iis5

Anti Virus vendors

Symantec
http://securityresponse.symantec.com/avcenter/venc/
data/js.scob.trojan.html

Computer Associates
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438

Network Associates
http://vil.nai.com/vil/content/v_126452.htm#VirusChar

Trendmicro
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=JS_SCOB.A&VSect=T

F-secure
http://www.f-secure.com/v-descs/scob.shtml

Disclaimer
The information provided here-in is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003