Web servers still doling out "Scob" code

BOSTON - More than 100 Web servers are still distributing the "Scob" malicious code, first identified two weeks ago as code used in a widespread attack to plant Trojan horse programs on vulnerable computers, according to one computer security company. That attack used compromised Microsoft Corp. Internet Information Services (IIS) Web servers to distribute the Trojan horse programs.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Enterprise security software maker Websense Inc. discovered 114 Web sites that are distributing variations of a malicious JavaScript program known as "Scob," or "Download.Ject." Whereas the attack initially targeted only Web servers running IIS Version 5, the majority of infected sites now run IIS Version 6, after administrators upgraded the systems, unaware their servers were already infected, said Dan Hubbard, director of security and technology research at Websense Inc.

Websense, of San Diego, discovered the infected sites during its daily "mining" of more than 24 million Web sites, which the company uses to detect Web- and Internet-based threats. The company modified its mining algorithms on June 24 to search for Web sites distributing the Scob code, and has been monitoring such sites since then, he said.

The 100 affected sites are all running either IIS 5.0 or 6.0. Attack code distributed by the infected servers still points to Web sites used in the attack, which were taken off-line shortly after news of the original attacks spread, meaning that the continued malicious code attacks have probably not resulted in new Trojan infections, Hubbard said.

First detected on June 24, the Scob attacks have been attributed to a Russian hacking group known as the "hangUP team," which used a recently-patched buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers. Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable to compromise. (See: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.)

The June attacks also used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

One of those vulnerabilities was an unpatched IE hole that used a Windows component called ADODB.Stream to force Internet Explorer to load insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts.

On July 2, Microsoft pushed out changes that altered the configuration of Windows 2000, XP and Windows Server 2003 to help customers fight off the Scob attacks, disabling ADODB.Stream. The company is also planning a number of software patches, including a patch for a gaping Internet Explorer security hole in coming weeks, and may release those outside of its monthly security patch schedule, the company said.

Despite the apparent links of the infected sites to the June attacks, some of the infected servers are distributing variations of the malicious JavaScript code used in the June attacks and are distributing the code directly in HTML (Hypertext Markup Language) Web pages served from IIS, rather than appending it to Web pages as a "footer," as in the original attacks, Hubbard said.

Hubbard declined to name the infected Web sites citing company policy, but said none were "high-profile" or popular enough to be listed among the 500 most-visited Web sites.

While the IIS 6 infections appear to be the result of upgrades to already-infected IIS servers, there are other ways that IIS 6 Web servers could be infected with Scob, according to a Microsoft spokeswoman.

Among other things, users with rights to publish to an IIS 6 server who also have rights on an infected IIS 5.0 server could transfer infected Web pages from one server to the other. Alternatively, IIS servers running Version 5 without the MS04-011 patch that upgraded to IIS Version 6 could also be vulnerable to attack, the spokeswoman said.

Microsoft is not aware of any direct infection of IIS 6.0 servers, she said.

Data from Websense supports that conclusion, as well. At least 20 of the 100 IIS 6.0 Scob sites Websense discovered were running IIS 5.0 until recently, and may have been upgraded manually by administrators unaware of the infection, or using Microsoft's AutoUpdate feature, he said.

Hubbard also points to the fact that the malicious code points to the original Russian attack sites as evidence that the infections are from the original attack in June.

"Why would someone design a new attack and still point to a Web site that's gone? It doesn't make sense for people to target computers in an attack if the payload is useless," he said.

In the meantime, Websense is attempting to contact the administrators of infected sites and encourage them to disinfect their servers, Hubbard said.

Hubbard has spoken to five different Webmasters of infected sites. Each had recently upgraded to IIS 6.0 for a variety of reasons and was "surprised" to hear that they had been infected with Scob, he wrote in an e-mail message.