News

'Sophisticated' Download.Ject Jumps into Microsoft's Security Holes

• By Scott Bekker
• 06/28/2004

To underscore the severity of the attack, the SANS Internet Storm Center called it "a very sophisticated attack" and compared it to Nimda. "Nimda attempted the same trick, using an older MSIE exploit. Other attempts have been observed in the past. This attack is special because it affects a large number of servers and is not easily detectable," the security organization wrote. "A large number of Web sites, some of them quite popular, were compromised earlier this week to distribute malicious code."

Download.Ject is the general name for an attack that first involves compromising an IIS 5.0 server using a one of the flaws patched in the blockbuster MS04-011 security bulletin. That bulletin was released in April and contained fixes for 14 flaws, six of them critical. After compromising the IIS systems, attackers uploaded Java script, often at the bottom of popular sites.

The attack then relies on an unpatched flaw in Microsoft Internet Explorer that allows a malicious or compromised Web site to download executable code to a users' system without a user taking any action other than visiting the URL. Microsoft is considering releasing a patch to fix this critical flaw before its next Patch Tuesday, which falls on July 13.

The first round of Java script code appears to connect a Russian site to download a trojan to user systems. The trojan includes a keystroke loggers, proxy servers and backdoor programs.

Putting the best face on the situation, Microsoft noted that end users running Release Candidate 2 of the unreleased Windows XP Service Pack 2 are protected from the IE vulnerability because the new service pack introduces new protections in Internet Explorer against downloaded code from the Internet. However, the release candidate is essentially beta software, and, in any case, it only helps those customers running Windows XP. Service Pack 2, which introduces a number of security technologies to the operating system and browser, is already several months overdue.

Most of the major anti-virus software will detect the Java script as "JS.Scob.Trojan," according to the SANS Internet Storm Center. Microsoft's Web site also includes some tools for determining if systems are infected.

Although industry observers say the attacks are slowing down, end users must still be protected even if the options are limited until Microsoft delivers an IE patch. "Right now, we don't know of any sites that are still hosting the script. Given that this attack is likely to be repeated using different Java script code, we recommend that you install and maintain anti-virus software, if possible turn off Java script, or use a browser other than MSIE until the current vulnerabilities in MSIE are patched," according to SANS.

Security officials at US-CERT also took the specific opportunity of the security problem to discourage use of Java script in general. "This activity is another example of why end users must exercise caution when Java script is enabled in their Web browser. … US-CERT recommends that end users disable Java script unless it is absolutely necessary. Users should be aware that any Web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."