Malware Attack Thwarted, But Danger Lurks Critical IE Vulnerability Remains Unpatched Ryan Naraine
A Russian web site that was being used to distribute malware programs as part of a sophisticated attack against Microsoft IIS 5.0 servers has been taken offline by law enforcement officials.
Microsoft announced over the weekend that law enforcement officials, working in tandem with ISPs, shut down the malicious web site to thwart the spread of the Download.Ject Trojan. But experts warn that a still-unpatched flaw in the popular Internet Explorer browser is still a major security problem.
The software giant confirmed the attack exploited an IE vulnerability to distribute malicious code to visitors of an affected web site, but there was
no word on when the IE flaw would be fixed.
"The originating web site of attack has been taken offline. Internet Explorer customers are no longer at risk from that particular attack source as of Thursday evening," reported Microsoft.
However, because the IE flaw remains unpatched, there are fears in the security sector that a new attack is inevitable. The vulnerability was first reported on June 10 after code for "zero-day exploits" targeting fully patched systems with IE 6.0 was posted on a public discussion list.
Microsoft said IE users should install the latest security updates and utilize high-security browser settings to mitigate the threats. The company
also said customers running Windows XP SP2 Release Candidate 2 were already protected from the Download.Ject threat.
Download.Ject, also known as Scob, is a Trojan downloader that started spreading last week after unknown attackers uploaded a small file with JavaScript to infected web sites running Microsoft IIS 5.0 servers. The web server configuration was altered to append the script to all files served by the Web server.
A user visiting an infected site with IE automatically became infected with the JavaScript, which triggered a download from a Russian web site. The download included Trojan horse programs like keystroke loggers, proxy servers, and other backdoors providing full access to the infected system.
Anti-virus firm Symantec reports the keystroke loggers appear to be hijacking personal information for PayPal, eBay, and other ISP accounts.
Microsoft describes Download.Ject as a "targeted manual attack by individuals or entities" and makes it clear that it is not a worm or virus
attack.
The company says its analysis, confirmed independently by ISS X-Force, shows that IIS 5.0 Servers that have not been updated with a patch available since April were susceptible to this attack. The MS04-011 security bulletin that contains the IIS fix is available here.
