[prev in list] [next in list] [prev in thread] [next in thread]
List: nfr-users
Subject: [nfr-users] UPDATE - Download.Ject
From: Matt Bing <mbing () nfr ! net>
Date: 2004-06-26 19:48:47
Message-ID: 20040626194847.GC13692 () mothra ! bing ! nfr ! net
[Download RAW message or body]
OVERVIEW
NFR RRT has become aware of a new mass Internet Explorer exploitation via
malicious Javascript code distributed by hijacked IIS web servers.
TECHNICAL INFORMATION
Compromised IIS web servers append malicious Javascript code to every file
served, which instructs the victim to download a trojan horse from another
web site. One of many possible trojans might be installed, including a
keystroke logger, proxy, or some other backdoor.
It is unclear how the IIS servers are being compromised, but Microsoft
speculates the servers in question have not installed the MS04-011 security
update. Running the latest versions of the RRT packages MSRPC & SSL will
alert on these particular vulnerabilities.
In addition, to possibly detect compromised systems on your network,
consider adding the following rule to the RULES_TCP variable in the
policy package.
"alert any 217.107.218.147/32 any 80"
This will send an alert on every access to the only known location of the
trojan horse.
REFERENCES
* What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
* Microsoft Security Bulletin MS04-011
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
* An analysis of the Ilookup Trojan
http://62.131.86.111/analysis.htm
* Compromised Web Sites Infect Web Surfers
http://www.incidents.org/
--
Matt Bing
NFR Security
Rapid Response Team
_______________________________________________
nfr-users mailing list
nfr-users@nfr.com
http://list.nfr.com/mailman/listinfo/nfr-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic