From: B3r3n (B3r3n_at_argosnet.com)
To: email@example.com Date: Fri, 25 Jun 2004 19:50:08 +0200
>There have been several reports of IIS servers being compromised in a
>similar fashion. The result is that each has a document footer specified
>a malicious website. The loaded page installs a trojan via one of
>several attack methods attempted. According to Computer Associates, at
>least one of those methods remains unpatched. The malicious web page the
>client was being sent is no longer available.
>At this point it does not look like this is a widespread issue, but I'd
>like to see what you have seen.
>1. There is so far no reasonable explanation as to how the IIS servers
>checks first to see if the browser is viewing via HTTPS, and if so, then
>checks to see if there is a cookie on the client machine which starts
>executes causing the malicious page to be delivered to the victim. The
>cookie expires in 10 minutes.
>- Check your IIS Servers and verify whether the "Enable Document Footer"
>option has been enabled (inspect the Documents tab in IIS Manager for
>each site, or inspect the metabase for the EnableDocFooter is set to
>- If Document Footers are enabled and they shouldn't be, check which
>files are being specified as the footer document. If you have been
>attacked you will find files named similar to "iis7#.dll" in the
>\inetsrv directory. There may be one for each of your virtual
>- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
>machines. ftpcmd gets the agent.exe, which is subsequently executed
>resulting in the metabase being modified by executing the ads.vbs with
>Questions for those of you who have been compromised:
>a) Do you have an SSL certificate on any site on the compromised box?
>There has been some speculation that this may have something to do with
>b) Were all of the sites on the compromised machine modified to include
>a document footer? If not, is there anything unique about the ones that
>c) If you had more than one machine compromised, did you have any
>similarly exposed IIS servers that weren't compromised? There is
>speculation that the attack is specific to IIS 5.0.
>d) Had you applied MS04-011 but not yet had the machine rebooted? A
>couple of the reports from compromised machines indicated they had
>applied the patch but not yet rebooted the machine. Try to be sure
>whether the machine was rebooted before indicating it was "fully
>patched." Please provide the details of the compromised box, its OS
>version, SP level, patches applied, plus any other components which may
>have been installed (e.g. Cold Fusion, etc...)
>e) Can you send me a copy of the agent.exe, or whatever name it may be?
>If so, please rename the extension to .ts and send it to
>f) What directory did you find the ftpcmd.txt and/or agent.exe in?
>g) Check your logs for anything dated similar to the datetime of
>ftpcmd.txt, let me know if you find anything suspicious.
>2. The attack against the clients has been specified as being;
>Microsoft - Download.Ject
>Symantec - JS.Scob.Trojan
>FSecure - Scob
>Computer Associates - JS.Toofer
>CA provides the most information so far, indicating that the trojan are
>polymorphic variants of Win32.Webber. They claim the malicious web page
>exploits the Modal Dialog Zone Bypass discovered earlier in June. They
>also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).
>a) If you got a copy of the attacking page, can you send it to me?
>b) What site served up the document footer that caused you to be sent
>the malicious page?
>Russ - NTBugtraq Editor
>NTBugtraq Editor's Note:
>Want to reply to the person who sent this message? This list is configured
>such that just hitting reply is going to result in the message coming to
>the list, not to the individual who sent the message. This was done to
>help reduce the number of Out of Office messages posters received. So if
>you want to send a reply just to the poster, you'll have to copy their
>email address out of the message and place it in your TO: field.
Full-Disclosure - We believe in it.