A new version of the IIS worm from June

Discussion in 'Anti-Virus' started by NunYa, Aug 21, 2004.

  1. NunYa

    NunYa Guest


    By Paul Roberts
    IDG News Service, 08/19/04

    A new version of the worm that spread from infected Microsoft Internet
    Information Services Web servers in June has been identified and is
    using instant messages and infected Web sites in Russia, Uruguay and
    the U.S. to spread itself, according to one security company.

    Researchers at PivX Solutions of Newport Beach, Calif., have
    intercepted new malicious code that closely resembles widespread
    attacks in June attributed to a malicious computer code named "Scob"
    or "Download.ject." The new attacks use mass-distributed instant
    messages to lure Internet users to Web sites that distribute malicious
    code similar to Download.ject, said Thor Larholm, senior security
    researcher at PivX.

    First detected on June 24, the Scob attacks were attributed to a
    Russian hacking group known as the "hangUP team," which used a
    recently-patched buffer overflow vulnerability in Microsoft's
    implementation of Secure Sockets Layer to compromise vulnerable
    Windows 2000 systems running IIS Version 5 Web servers. Companies that
    used IIS Version 5 and failed to apply a recent security software
    patch, MS04-011, were vulnerable to compromise.

    The June attacks also used two vulnerabilities in Windows and the
    Internet Explorer Web browser to silently run the malicious code
    distributed from the IIS servers on machines that visited the
    compromised sites, redirecting the customers to Web sites controlled
    by the hackers and downloading a Trojan horse program that captures
    keystrokes and personal data.

    The new attacks begin with instant messages sent to customers using
    AOL's AOL Instant Messenger (AIM) or ICQ instant message program. The
    messages invite recipients to click on a link to a Web page, with
    pitches such as "Check out my new home page!" The messages could be
    sent from strangers or from regular IM correspondents, or "buddies,"
    Larholm said.

    Once victims click on the link, they are taken to one of a handful of
    attack Web pages hosted on servers in Uruguay, Russia and the U.S.,
    from which a Trojan horse program is downloaded.

    In addition to opening a "back door" on the victim's computer through
    which more malicious programs can be downloaded, the new attacks
    change the victim's Web browser home page or Outlook e-mail search
    page to Web sites featuring adult content, Larholm said.

    PivX is still analyzing the attacks to see if malicious code is placed
    on victims' machines, but many of the files used by the new worm and
    the way in which the attacks are being carried out point to the same
    group that launched the Scob attacks in June, Larholm said.

    "The code is different enough to be something of its own, but unique
    enough to be related," he said. "And as with the Scob attacks, this is
    all about money --in this case, driving ad revenue for specific

    The attack Web sites take advantage of vulnerabilities in Internet
    Explorer and Outlook that Microsoft has patched, but that allow the
    attackers to place and run malicious code on unpatched systems. Two
    patches from 2003, MS03-025 and MS03-040 address the flaws used by the
    new worm, Larholm said.

    Anti-virus companies were informed of the new malicious code but did
    not have virus signatures issued Thursday, Larholm said.
    NunYa, Aug 21, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.