Web servers still doling out "Scob" code

BOSTON - More than 100 Web servers are still distributing the "Scob" malicious code, first identified two weeks ago as code used in a widespread attack to plant Trojan horse programs on vulnerable computers, according to one computer security company. That attack used compromised Microsoft Corp. Internet Information Services (IIS) Web servers to distribute the Trojan horse programs.

Enterprise security software maker Websense Inc. discovered 114 Web sites that are distributing variations of a malicious JavaScript program known as "Scob," or "Download.Ject." Whereas the attack initially targeted only Web servers running IIS Version 5, the majority of infected sites now run IIS Version 6, after administrators upgraded the systems, unaware their servers were already infected, said Dan Hubbard, director of security and technology research at Websense Inc.

Websense, of San Diego, discovered the infected sites during its daily "mining" of more than 24 million Web sites, which the company uses to detect Web- and Internet-based threats. The company modified its mining algorithms on June 24 to search for Web sites distributing the Scob code, and has been monitoring such sites since then, he said.

The 100 affected sites are all running either IIS 5.0 or 6.0. Attack code distributed by the infected servers still points to Web sites used in the attack, which were taken off-line shortly after news of the original attacks spread, meaning that the continued malicious code attacks have probably not resulted in new Trojan infections, Hubbard said.

First detected on June 24, the Scob attacks have been attributed to a Russian hacking group known as the "hangUP team," which used a recently-patched buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers. Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable to compromise. (See: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.)

The June attacks also used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

One of those vulnerabilities was an unpatched IE hole that used a Windows component called ADODB.Stream to force Internet Explorer to load insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts.

On July 2, Microsoft pushed out changes that altered the configuration of Windows 2000, XP and Windows Server 2003 to help customers fight off the Scob attacks, disabling ADODB.Stream. The company is also planning a number of software patches, including a patch for a gaping Internet Explorer security hole in coming weeks, and may release those outside of its monthly security patch schedule, the company said.

Despite the apparent links of the infected sites to the June attacks, some of the infected servers are distributing variations of the malicious JavaScript code used in the June attacks and are distributing the code directly in HTML (Hypertext Markup Language) Web pages served from IIS, rather than appending it to Web pages as a "footer," as in the original attacks, Hubbard said.