Subscribe to Windows IT Pro

 

Get Newsletters

  • Get the Latest News
  • Product Updates
  • Helpful Tricks
  • Productivity Tips

Subscribe Now!

June 25, 2004 12:00 AM

Vulnerable IIS Sites and IE Users Under Attack

M Edwards
Windows IT Pro
InstantDoc ID #43088
Rating: (0)

A new form of attack is spreading around the Internet, but to what extent remains unknown at the time of this writing. The attack affects unpatched Microsoft IIS systems, which are then made to attack unprotected Microsoft Internet Explorer (IE) systems.

Intruders use an overflow condition in IIS to compromise an unpatched system. The vulnerability  is related to the Private Communications Transport (PCT) in Microsoft's Secure Sockets Layer (SSL) library. Malicious Javascript code is inserted into a Web page and when unprotected IE users visit the compromised Web page, IE might run the Javascript code on the user's system. The code then injects the system with the attackers code of choice.

Administrators should install Microsoft patch MS04-011 to protect IIS. According to iDEFENSE, IE users are being compromised using a combination of two vulnerabilities, one of which is related to a problem in MIME Encapsulated Aggregate HTML (MHTML) and the other related to ADODB. Microsoft made a patch available for the MHTML issue (MS04-013), however there is no patch available yet for the ADODB vulnerability. IE users should consider disabling Active scripting in IE to protect their systems against these attacks.

Microsoft published an article, "Download.Ject" for users who might be infected by this particular attack. In the article Microsoft said that if users search their systems and find two files, kk32.dll and surf.dat, then the files probably indicate the system is infected. Microsoft recommends that users clean their systems using a virus scanning tool.

LURHQ, a managed security services provider, published a detailed analysis of the attack, which the company said installs the Berbew/Webber/Padodor Trojan on users' systems. The company said that when a user visits a compromised Web site, the Trojan will be downloaded from a Russian Web server, and the Trojan then "copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the [executable file] at boot time using the ShellServiceObjectDelayLoad registry key."

LURHQ said the Trojan is designed for "phishing" attacks, in which it gathers logon information from users who log on to eBay, Paypal, Earthlink, Juno, and Yahoo Web mail. The company said the Trojan might also create fake pop-up windows to entice users to enter credit card information and associated PIN numbers. The Trojan also hides itself from the process list by patching certain DLLs already loaded into memory. The company also made available a list of steps for manual removal of the Trojan from infected systems, as well as a Snort intrusion detection signature (seen below) that administrators can add to their Snort installations.

alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; sid:1000108; rev:1;)

Related Content:

ARTICLE TOOLS


Want to use this article? Click here for options!

Comments
Add A Comment
  • Karen
    8 years ago
    Jul 01, 2004

    I have tried al the Adware.. Installed Spybot as well as Ad-awear6 only to have the same problem. My tech support advised me to install Norton Internet Security, but that hasn't even helped. There was an article in my local paper describing this and ofering the suggestion to use a differnt browser such as Netscape or Motzilla... as both have applied patched already in place and this is not a problem with these two browers. So IE is gone and I've made Netscape my new browser. Not a thing as popped up yet so I'm happy!

  • Tracy
    8 years ago
    Jun 29, 2004

    This sounds too scary to be true, i am going to be extra vidulant now!

  • Eric
    8 years ago
    Jun 29, 2004

    Anne - What you have is a browser hijacker..

    IncrediFind

    Overview
    IncrediFind is an Internet Explorer browser helper object that hijacks your error page.

    From the developer: IncrediFind is a free utility for Microsoft Internet Explorer version 5 or later that provides contextually-relevant search results in place of unfound and unavailable web pages, and allows users to search the web by simply typing any keywords or search terms in their Internet Explorer address bar.

    Classification
    Adware

    Files
    incfindbho.dll

    Vendor
    Incredifind.com

    Privacy policy
    No privacy policy available

    Detection
    Adaware and Spybot detects IncrediFind. You can download and run these for free.

    Uninstall procedure
    Uninstall IncrediFind from "Add/Remove Programs" in the Windows® Control Panel.

    Manual removal
    Please follow the instructions below if you would like to remove IncrediFind manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If IncrediFind remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
    Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
    Delete 'HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Classes \\ CLSID \\ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
    Delete 'HKEY_LOCAL_MACHINE \\ SOFTWARE \\ Microsoft \\ Windows \\ CurrentVersion \\ Explorer \\ Browser Helper Objects \\ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
    Exit the registry editor.
    Restart your computer.
    Start Windows Explorer and delete:
    %ProgramsDir%\\IncrediFind\\BHO\\incfindbho.dll
    Note: %ProgramsDir% is a variable (?). By default, this is C:\\Program Files.
    Start Microsoft Internet Explorer.
    In Internet Explorer, click Tools -> Internet Options.
    Click the Programs tab -> Reset Web Settings.

  • Nick
    8 years ago
    Jun 29, 2004

    Good article. I appreciate the links and the snort sig.
    Here's a suggestion: an article about mitigation for the ADODB vulnerability. I don't think that just disabling Active Scripting in the Internet Zone cuts it.
    I believe we will see more of these types of virus/spyware attacks through that browser hole... wouldn't it be nice to be able to say that you provided your readers with the ability to prevent/mitigate infection when the next one of these comes to light?

  • Nick
    8 years ago
    Jun 29, 2004

    Response to Anne:
    It really isn't possible to completely remove IE.
    To solve your problem I would recommend trying 2 FREE tools:
    Spybot (http://www.safer-networking.org
    OR http://www.download.com/3000-8022-10122137.html) and AdAware (http://www.lavasoft.de/) to remove the malware. Be careful if you try to use other "free" spyware and adware removal tools... they often are spyware themselves!
    I highly recommend the 2 tools listed above and use them myself.
    Also, just as a general rule, make sure that you are running currently updated antivirus and have the latest updates from Microsoft installed on your machine. (windowsupdate.microsoft.com will check the updates for you)
    Also, a quick search on Google for "incredifind" turned up a lot of suggestions and information. The following link explains what incredifind is: (watch the link wrapping)http://www.kephyr.com/spywarescanner/library/incredifind/index.phtml
    So does this one and gives additional removal instructions if Spybot/Adaware don't get it:
    http://www.2-spyware.com/parasite-incredifind.html
    When you want to find out about something, Google is your friend! Hope that helps!!!

You must log on before posting a comment.

Are you a new visitor? Register Here

advertisement

advertisement

White Papers

Get your Windows 7 deployment off to the right start by implementing PC lockdown. A locked-down environment is easier and cheaper to support since users are less likely to make unnecessary changes to the core system configuration - read more here!

Essential Guides

Is your iSCSI "lossy"? The reality is that most off-the-shelf Ethernet hardware deployed for iSCSI can lose packets, resulting in slow performance or application downtime. Learn how to assess your current iSCSI infrastructure and engineer an advanced iSCSI SAN infrastructure.

Web Seminars

What's the best way to keep your network safe from malware? In this web seminar, security expert Greg Shields suggests an alternative method to the traditional blacklisting approach that is common with anti-virus and anti-malware solutions.

eLearning Series

We bring the experts direct to you to share their real-world perspective and expertise. During each event, three sessions stream in real time, so you can learn, ask questions, and get solutions.
Upcoming event: Getting the Most with Exchange 2010 with Paul Robichaux

Subscribe to Windows IT Pro!

Cloud IT Pro DevProConnections Left-Brain Mobile Dev Pro SharePoint Pro SQL Server Pro SuperSite for Windows Windows IT Pro

© 2012 Penton Media, Inc.

Home About Us Advertise Customer Service Privacy Statement Subscribe/Renew Terms Of Use

Windows is a trademark of the Microsoft group of companies. Windows IT Pro is used by Penton Media Inc. under license from owner.