A large number of web sites, some of them quite popular, [were] compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.

The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.

If your SERVER was compromised, you will observe:

• All files sent by the web server will include the javascript. As the javascript is delivered by the web server as a global footer, images and other documents (robots.txt, word files) will include the javascript as well.
• The files on your server will not be altered. The javascript is included as a global footer and appended by the server as they are delivered to the browser.
• You will find that the global footer is set to a new file.
• For snort signatures, see http://www.bleedingsnort.com

We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your web site back into business by changing the footer setting and removing the javascript file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors.

If you visited an affected page, and your BROWSER is compromised:

• you may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
• Disconnect the system from the network as soon as possible.
• run a thorough virus check with up to date virus definitions. Many AV vendors released new definitions as recently as last night.
• If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
• AV software will detect the javascript as 'JS.Scob.Trojan'.

For a more details, also see yesterday's diary: http://isc.sans.org/diary.php?date=2004-06-24.
Updates will be posted here.

Microsoft has acknowledged and is investigating the issue, they rated the severity as critical.

Relevant Links
Analysis of the underlying MSIE vulnerability:
http://62.131.86.111/analysis.htm (thanks to Olivier de Jong)

Symantec writeup for js.scob.trojan:
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html

MSIE Exploit information from Security Focus:
http://www.securityfocus.com/bid/10472
http://www.securityfocus.com/bid/10473
CHMM Vulnerability (not used here, but used by similar exploits): http://www.securityfocus.com/bid/9658/info/

F-Secure Information:
http://www.f-secure.com/weblog/
http://www.f-secure.com/v-descs/scob.shtml
http://www.f-secure.com/v-descs/padodorw.shtml

UseNet Discussion about IIS exploits:
http://www.derkeiler.com/Newsgroups/microsoft.public.inetserver.iis.security/2004-06/0588.html

Snort Rule:
http://snort.infotex.com/cgi-bin/viewcvs.cgi/Stable/VIRUS_Unknown_IIS_Worm

. . .