Scob infection statistics, etc..

• Previous message: David Ahmad: "Symantec DeepSight Threat Management System Analysis: Client-side Exploitation"
• Next in thread: David Gillett: "RE: Scob infection statistics, etc.."
• Reply: David Gillett: "RE: Scob infection statistics, etc.."
• Maybe reply: Chinnery, Paul: "RE: Scob infection statistics, etc.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 28 Jun 2004 11:53:25 -0700
To: <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>, <incidents@securityfocus.com>, <bugtraq@securityfocus.com>

If anyone is interested we have some information on the Scob Trojan
"released" last week.

* we saw customers visiting the Russian URL's starting June 22. All the
sites are down but here is a list of the sites visited with frequency
counters.

        http://217.107.218.147:80/redir.php 2
        http://217.107.218.147/sht/shellscript.js 1
        http://217.107.218.147/thom.html 4
        http://217.107.218.147/smack.html? 1
        http://217.107.218.147/new.html 866
        http://217.107.218.147/fed.html 97
        http://217.107.218.147/msits.exe 208
        http://217.107.218.147/index.php 1193
        http://217.107.218.147/md.htm 169
        http://217.107.218.147/index1.htm 47
        http://217.107.218.147/dot.php 2665
        http://217.107.218.147/sht/its.html 4
        http://217.107.218.147/sht/msits.exe 9
        http://217.107.218.147/stat.php 205
        http://217.107.218.147/its.html 65
        http://217.107.218.147/shellscript_loader.js 1
        http://217.107.218.147:80/index.php 1
        http://217.107.218.147/sht/new.html 25
        http://217.107.218.147/sht/shellscript_loader.js 2
        http://217.107.218.147/redir.php 177
        http://217.107.218.147/shellscript.js 1
        http://217.107.218.147/sht/redir.php 24
        http://217.107.218.147:80/dot.php 34
        http://217.107.218.147:80/msits.exe 7
        http://217.107.218.147//main.chm 15
        http://217.107.218.147/sht/md.htm 11
        http://217.107.218.147/sht/md.html 13

* as of Sunday we have identified more than 130 unique domains that are
still infected.
* all sites infected are running IIS 5.0 and SSL
* all sites are infected on both HTTP and HTTPS URL's
* sites IP addresses are located in USA (mostly web hosting ISP's),
Australia, New Zealand, Canada, Japan, Spain, UK, and Norway). At least
that is what arin, apnic, and ripe are reporting.
* appears as though no sites certificates have been tampered
* none of the sites still infected would be consider "top rated"
websites
* we have seen no unusual/increase in traffic in any of our honeypots

Due to the number of sites infected, this leads me to believe that there
is either a poorly written worm or that the source of the webserver
exploit is out there. Does anyone have information on the exploit ? It
would be interesting to see and then report on the number of webservers
that are vulnerable to this type of attack. Also, has anyone seen any
new versions yet ?

Thanks

• Previous message: David Ahmad: "Symantec DeepSight Threat Management System Analysis: Client-side Exploitation"
• Next in thread: David Gillett: "RE: Scob infection statistics, etc.."
• Reply: David Gillett: "RE: Scob infection statistics, etc.."
• Maybe reply: Chinnery, Paul: "RE: Scob infection statistics, etc.."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]