Jun 25 2004

Spreading the Love, IIS style

Published by Martin at 9:22 am under Malware

Wonderful, just wonderful. Large numbers of IIS servers out there are being infected with a worm that uses known, but unpatched vulnerabilities in MS IIS to download a trojan into IE when any of the sites on the IIS server are accessed. The worm is making changes to the IIS servers that add a header and footer to every page on the server, including a download script as part of the pages. Microsoft has a fix, but it’s complicated and may mess up your server. Here are some links for more complete information on this mixed medium attack.

Internet Storm Center
06-24-04
06-24-05

Bleeding Snort signatures
Current Bleeding Snort Signatures

Microsoft
What You Should Know About Download.Ject

ZDNet
Researchers warn of infectious Web sites


And just because I can, here are the Bleeding Snort rules I’ve installed.

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE Unknown IIS Worm Code in Transit”; content:”function gc099″; classtype:trojan-activity; sid:2000312; rev:2;)

alert tcp any 80 -> any 80 (msg:”BLEEDING-EDGE Unknown IIS Worm Client Visiting Infected Page”; uricontent:”/dot.php”; classtype:trojan-activity; sid:2000313; rev:2;)

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE Client Downloading IE Adodb Code From Compromised Web Server”; content:”qxco7=document”; content:”qxco7.indexOf”; classtype:trojan-activity; sid:2000316; rev:2;)

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE IE ADODB Exploit Javascript Detected”; content:”var qxco7=document.cookie”; sid:2000317; rev:1; )

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE IE msits.exe Download Detected”; content:”|BA AC C7 AD C7 48 83 D1 CA 68 81 26 8B 6C F3 29 00 28 A3 2E 00 38 A3 36 02 6E 3F 25 8B 6C 87 E5 D8 3A D0 AD CF 48 97 76 E1 92 EF 26 9B 2C 87 42|”; sid:2000318; rev:1; )

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE IE Adodb.Stream Exploit in Transit (Encoded)”; content:”%6D”; nocase; content:”%53%74%72%65%61%6D”; nocase; content:”%41%44%4F%44%42%2E”; nocase; classtype: trojan-activity; sid:2000319; rev:1;)

alert tcp any 80 -> any any (msg:”BLEEDING-EDGE IE Adodb.Stream Exploit in Transit”; content:”mms\://”; nocase; content:”ADODB.Stream”; nocase;classtype: trojan-activity; sid:2000320; rev:1;)

alert tcp any any -> 217.107.218.147 any (msg:”BLEEDING-EDGE Infected Client contacting 217.107.218.147″; classtype: trojan-activity; sid:2000322; rev:1;)

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments are closed at this time.