« Where's Global Warming When You Need It? | Main | New Blog on the Roll »

June 25, 2004

Remove the Java From Your Life

At least for the moment.

There is a new trojan floating about out there called Berbew. It's a lovely little thing that comes direct to you from web browsing. In the extended entry I'm going to reprint the information from the Internet Storm Center.

First of all - Update your Antivirus sigs! They are now looking for this particular exploit. Although I would think that with a little tweeking it wouldn't be hard for the bad guys to get around this little roadblock.

Second - a firewall such as ZoneAlarm would alert you to your computer trying to get in touch with and download the actual executable trojan. You would therefore be able to deny it permission, thus you wouldn't get the trojan.

Third - turn off Java on your browser! It's gonna screw up some browsing fun, but until they find the holes and patch them, it's the safest thing to do.

The really fun part - which is included in the extended section... they still don't know how the affected servers were compromised! Yeah, if they don't know how the bad guys got in, how are they going to keep them out???

If you're geeky enough or just want more info, click on the extended section for more...

The Berbew Trojan Info from ISC

UPDATE 17:26 UTC Jan 25 2004

LURHQ published a detailed analysis of the "Berbew" trojan downloaded by this exploit. According to this analysis, the trojan will capture passwords as use log into given e-commerce, bank or auction web sites.


UPDATE 16:10 UTC Jun 25 2004

A reader who's web server was impacted by this attack sent us some findings from his Windows Security Event Logs. The logs showed the following sequence at the time of the incident:

- a process was created for CMD. The user name on the process was the ComputerName with a $ at the end.

- a process then was created for FTP.exe

- then for a file called agent.exe

- then mulitple instances of CSCRIPT were called
Thanks to Micheal Teff for providing this information.


Deb Hale - [email protected]
Handler on Duty

_______________________________________________________________________________

A large number of web sites, some of them quite popular, were compromised earlier this week to distribute malicious code. The attacker uploaded a small file with javascript to infected web sites, and altered the web server configuration to append the script to all files served by the web server. The Storm Center and others are still investigating the method used to compromise the servers. Several server administrators reported that they were fully patched.

If a user visited an infected site, the javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system.

The javascript uses a so far unpatched vulnerability in MSIE to download and execute the code. No warning will be displayed. The user does not have to click on any links. Just visiting an infected site will trigger the exploit.

If your SERVER was compromised, you will observe:

* All files sent by the web server will include the javascript. As the javascript is delivered by the web server as a global footer, images and other documents (robots.txt, word files) will include the javascript as well.
* The files on your server will not be altered. The javascript is included as a global footer and appended by the server as they are delivered to the browser.
* You will find that the global footer is set to a new file.
* For snort signatures, see http://www.bleedingsnort.com

We do not know at this point how the affected servers have been compromised. The SSL-PCT exploit is at the top of our list of suspects. If you find a compromised server, we strongly recommend a complete rebuild. You may be able to get your web site back into business by changing the footer setting and removing the javascript file. But this is a likely a very sophisticated attack and you should expect other stealthy Backdoors.

If you visited an affected page, and your BROWSER is compromised:

* You may see a warning about a javascript error. But it depends on how the attack code interfers with other javascript on the respective page, and many users disable these javascript warnings.
* Disconnect the system from the network as soon as possible.
* run a thorough virus check with up to date virus definitions. Many AV vendors released new definitions as recently as last night.
* If you are able to monitor traffic to the infected host, you may see attempts to contact 217.107.218.147 on port 80.
We do not have any evidence of any other target IPs being involved at this point. However, as this ip is no longer reachable, attackers may plant scripts that point to other IPs in the future
* AV software will detect the javascript as 'JS.Scob.Trojan'.

FAQ's about this attack:

- Is this the first time web servers have been compromised to attack browsers?

No. Nimda attempted the same trick, using an older MSIE exploit. Other attempts have been observed in the past. This attack is special because it affects a large number of servers and is not easily detectable.

- Will affected websites be "defaced" or otherwise altered?

No. In most cases, the web sites will look just like usual to the casual browser. The infected javascript may interfere with other javascript on the respective page.

- Will the javascript attached to images be executed? No. The javascript attached to images is harmless. It's the JavaScript attached to the .htm or .html files that gets executed, forcing the browser to connect to the Russian site.

- How can I protect my web server from becoming infected and used as a host for the script?

Apply all necessary patches. If you find an unpatched web server, assume it has been compromised even if you do not see an obvious sign of an attack. Given the current threat environment, an unpatched web server is likely to be attacked successfully within a few hours.

- How can I protect my users from these web sites. Do you publish a list? Should they stop browsing?

We do not provide a list of infected sites. Instead we try to work with site administrators to have them shut down as soon as possible. Right now, we don't know of any sites that are still hosting the script. Given that this attack is likely going to be repeated using different javascript code, we recommend that you (*) install and maintain anti virus software (*) if possible turn off javascript, or use a browser other then MSIE until the current vulnerabilities in MSIE are patched.

*********
There are more informational links at the ISC - unfortunately it doesn't look as if permalinks are available for each posting. So you may have to look around to find them.

Posted by on June 25, 2004 at 03:32 PM in Web/Tech |

Comments

rammer

thanks for the info, i think. i've been updating and scanning for a while now.

Posted by: rammer | June 29, 2004 at 05:46 PM

The comments to this entry are closed.

About

July 2004

Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Blogroll

Categories

Archives

Subscribe to this blog's feed
Blog powered by Typepad

Counter