Tag Archives: Download.ject

‘Hundreds Of Websites Still Infected By Scob Trojan’

Just how many websites have been compromised by last week’s attack of the Scob trojan?

A report released today by Cyveillance, a U.S. based ‘provider of online risk monitoring and management solutions’, concludes that 641 sites were still infected with the JS.Scob.Trojan virus as of June 27, 2004. The company says it used its proprietary Internet monitoring technology to visit all known sites running Microsoft Internet Information Services 5.0 (IIS) — the vulnerable software — and identify which ones were compromised.

As Cyveillance CEO Panos Annastasiadas points out, “this newest form of phishing is far more devious than email-based attacks since a key-stroke logger is installed completely passively on the individual’s computer, without the victim falling for a scam.” Annastasiadas also says “loggers can capture far more personal information than is typically shared with a single phishing site.” That’s an interesting assertion, and I’m not sure it’s completely true. Some phishing sites sought — and presumably got — a wide array of personal information that would not normally be typed into the computer (and therefore not usually caught by keyboard loggers). Of course, the trojan in question may capture more than keystrokes, by, say, probing the hard disk, but I would say a social-engineered phishing attack that lures the victim into entering private data on a kosher-looking web site is going to give the attacker a much more complete picture for the purposes of ID fraud and emptying bank and credit card accounts than random passwords logged and sent back to scammer HQ.

Anyway, Cyveillance says it gathered its data from a previous audit it had conducted of some 50 million web sites, or domains. This audit had revealed some 6.2 million web sites known to run IIS 5.0, the Microsoft software with the hole. It then ran its proprietary technology over those web sites and found 641 confirmed cases. It doesn’t say what those domains were, and 641 doesn’t sound a lot. But given that this test was run several days after the initial attack, probably most of the people running those domains don’t know they’re infected, so that’s still 641 too many.

Phishing Gets Proactive

Scaring the bejesus out of a lot of security folk this weekend is a new kind of phishing attack that doesn’t require the victim to do anything but visit the usual websites he might visit anyway.

It works like this: The bad guy uses a weakness in web servers running  Internet Information Services 5.0 (IIS) and Internet Explorer, components of Microsoft Windows, to make it append some JavaScript code to the bottom of webpages. When the victim visits those pages the JavaScript will load onto his computer one or more trojans, known variously as Scob.A, Berbew.F, and Padodor. These trojans open up the victim’s computer to the bad guy, but Padodor is also a keylogging trojan, capturing passwords the victim types when accessing websites like eBay and PayPal. Here’s an analysis of the malicious script placed on victims’ computers from LURHQ. Think of it as a kind of outsourced phishing attack.

Some things are not yet clear. One is how widespread this infection is. According to U.S.-based iDEFENSE late Friday, “hundreds of thousands of computers have likely been infected in the past 24 hours.” Others say it’s not that widespread. CNET reported late Friday that the Russian server delivering the trojans was shut down, but that may only be temporary respite.

What’s also unclear is exactly what vulnerability is being used, and therefore whether Microsoft has already developed a patch — or software cure — for it. More discussion on that here. Microsoft is calling the security issue Download.Ject, and writes about it here.

Although there’s no hard evidence, several security firms, including Kaspersky, iDEFENSE and F-Secure, are pointing the finger at a Russian-speaking hacking group called the HangUP Team.

According to Kaspersky Labs, we may be looking at what is called a Zero Day Vulnerability. In other words, a hole “which no-one knows about, and which there is no patch for”. Usually it has been the good guys — known in the trade as the white hats — who discover vulnerabilities in software and try to patch them before they can be exploited, whereas this attack may reflect a shift in the balance of power, as the bad guys (the black hats) find the vulnerabilities first, and make use of them while the rest of us try to find out how they do it. “We have been predicting such an incident for several years: it confirms the destructive direction taken by the computer underground, and the trend in using a combination of methods to attack. Unfortunately, such blended threats and attacks are designed to evade the protection currently available,” commented Eugene Kaspersky, head of Anti-Virus Research at Kaspersky Labs.

In short, what’s scary about this is:

  • we still don’t know exactly how servers are getting infected. Everyone’s still working on it;
  • suddenly surfing itself becomes dangerous. It’s no longer necessary to try to lure victims to dodgy websites; you just infect the places they would visit anyway;
  • Users who have done everything right can still get infected: Even a fully patched version of Internet Explorer 6 won’t save you from infection, according to Netcraft, a British Internet security company.

For now, all that is recommended is that you disable JavaScript. This is not really an option, says Daniel McNamara of anti-phishing website CodePhish, since a lot of sites rely on JavaScript to function. A better way, according to iDEFENSE, would be to use a non-Microsoft browser. Oh, and if you want to check whether you’re infected, according to Microsoft, search for the following files on your hard disk: kk32.dll and surf.dat. If either are there, you’re infected and you should run one of the clean-up tools listed on the Microsoft page.

News: Beware QHosts

 All you need to do to be infected by this virus is visit the homepage of Web hosting provider FortuneCity.com. CNET reports that a malicious program, dubbed QHosts, infects PCs using a recent flaw in Microsoft’s Internet Explorer to take control of how computers look up Internet addresses. The program takes advantage of a critical flaw in Internet Explorer , which Microsoft has made an integral part of its Windows operating system. The Trojan horse used a banner ad that the attacker somehow placed there to install the Trojan horse on the user’s PC.
 
The QHosts program then changes the Internet addresses of the computers the infected PC will go to to resolve unknown Web sites and domain names. Known as the domain name service (DNS) servers, such computers are generally operated by a trusted organization, such as an Internet service provider. However, QHosts will send the requests to other servers, which Schmugar believes are likely to be owned by the originator of the Trojan horse.
 
This raises a few troubling questions, such as: How did the banner ad get there? And what is the purpose of the trojan? Is it just malicious or is it commercially related? We should be told.