• PC World
• »Security

More than 100 Web servers are still distributing the "Scob" malicious code, identified two weeks ago as code used in a widespread attack to plant Trojan horse programs on vulnerable computers, says one computer security company.

That attack used compromised Microsoft Internet Information Services (IIS) Web servers to distribute the Trojan horse programs.

Still Vulnerable

Enterprise security software maker Websense reports finding 114 Web sites that are still distributing variations of a malicious JavaScript program known as "Scob," or "Download.Ject." The attack initially targeted only Web servers running IIS Version 5, but most of the infected sites now run IIS Version 6, after administrators upgraded the systems unaware the servers were already infected, says Dan Hubbard, director of security and technology research at Websense.

Websense discovered the infected sites during its daily "mining" of more than 24 million Web sites, which the company uses to detect Web- and Internet-based threats. The company modified its mining algorithms on June 24 to search for Web sites distributing the Scob code, and has been monitoring such sites since then, Hubbard says.

The 100 affected sites are all running either IIS 5.0 or 6.0. Attack code distributed by the infected servers still points to Web sites used in the attack, which were taken off-line shortly after news of the original attacks spread, meaning that the continued malicious code attacks have probably not resulted in new Trojan infections, Hubbard says.

First detected on June 24, the Scob attacks have been attributed to a Russian hacking group known as the "hangUP team." They used a recently-patched buffer overflow vulnerability in Microsoft's implementation of secure sockets layer (SSL) to compromise vulnerable Windows 2000 systems running IIS Version 5 Web servers. Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable to compromise.

Finding Unpatched Holes

The June attacks also used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

One of those vulnerabilities was an unpatched IE hole that used a Windows component called ADODB.Stream to force Internet Explorer to load insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site, according to experts.

On July 2, Microsoft pushed out changes that altered the configuration of Windows 2000, Windows XP, and Windows Server 2003 to help customers fight off the Scob attacks, disabling ADODB.Stream. The company is also planning a number of software patches, including a patch for a gaping Internet Explorer security hole in coming weeks, and may release those outside of its monthly security patch schedule.

Despite the apparent links of the infected sites to the June attacks, some of the infected servers are distributing variations of the malicious JavaScript code used in the June attacks and are distributing the code directly in HTML Web pages served from IIS, rather than appending it to Web pages as a "footer," as in the original attacks, Hubbard says.

Hubbard declines to name the infected Web sites, citing company policy, but says none are "high profile" or popular enough to be listed among the 500 most-visited Web sites.

Routes of Infection

While the IIS 6 infections appear to be the result of upgrades to already-infected IIS servers, the servers could become infected with Scob in other ways, according to a Microsoft spokesperson.

Among other things, a user with rights to publish to an IIS 6 server who also has rights on an infected IIS 5.0 server could transfer infected Web pages from one server to the other, she says. Alternatively, IIS servers running Version 5 without the MS04-011 patch that upgraded to IIS Version 6 could also be vulnerable to attack, the spokesperson adds.

Microsoft is not aware of any direct infection of IIS 6.0 servers, she says.

Data from Websense supports that conclusion, as well. At least 20 of the 100 IIS 6.0 Scob sites Websense discovered were running IIS 5.0 until recently, and may have been upgraded manually by administrators unaware of the infection, or using Microsoft's AutoUpdate feature, Hubbard says.

He also notes that the malicious code points to the original Russian attack sites as evidence that the infections are from the original attack in June.

"Why would someone design a new attack and still point to a Web site that's gone? It doesn't make sense for people to target computers in an attack if the payload is useless," he says.

Meanwhile, Websense is attempting to contact the administrators of infected sites and encourage them to disinfect their servers, Hubbard says.

Hubbard says he has spoken to five different Webmasters of infected sites. Each had recently upgraded to IIS 6.0 for a variety of reasons and was "surprised" to hear that they had been infected with Scob, he adds.