Zeroes

Midnight 26 June 2004 UTC
Time some of you laid low for a while.

The Internet is in a tumble over a so-called zero-day exploit - an exploit that takes advantage of a vulnerability no one knows about yet. The zero-day exploit the world is currently tumbling over is ten times worse because it's two-fold: first you don't see it grabbing the one machine, then you see it grabbing the other, but it's too late. Security experts have already missed the first step - they can't know how the thing got started in the first place.

Malware used to be a prank. The Morris Worm was a prank. Melissa was a prank. The Love Bug was a temper flare and a gross underestimation. AnnaK was a didacticism. Sasser and Blaster were pranks. But that's all in the past. Malware is big business now.

Displaying savvy and skills that run rings around the boneheads responsible for the targeted 'technology', organised gangs have succeeded in amalgamating the email worm with the computer virus with the trojan with the DDoS attack and so forth - and now this. And some gurus think it's all hooked together.

Personal computers running Microsoft Windows and Microsoft Internet Explorer are getting infected by merely visiting web sites. These web sites are invariably run by another Microsoft product, Internet Information Server (IIS). IIS has such a poor record and is so long ago castigated and condemned for its poor engineering it's a wonder anyone uses it anymore. The US Federal Accounting Office (FAO) declared it beyond repair years ago and recommended in no uncertain terms that all US government sites immediately use something more reliable instead. IIS still holds onto slightly less than 25% of the market share; Apache, the open source and relatively bug-free alternative, has nearly 70%. Yet Windows installs in the NT family normally set up IIS for the user, and often without the user being aware of it. Such was the case with Code Red, as one example. Real professional and high volume sites know better than to use IIS.

On 24 June the Internet Storm Center published its first report:

'Thanks to everybody who generously provided updates to us today. We still do not know how the IIS servers are originally infected with the JavaScript or the modification to the configuration files. Any additional theories or ideas are welcome. The earliest reported infection was on June 20th (four days ago). What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around?'

And what makes this one so deadly is the fact that there are still a number of commercial sites using the junk. Banks like IIS, for example. eBay runs on IIS for some unfathomable reason. Earthlink's been hit. This attack is not against little known porn sites or other out of the way places: it's against some pretty well known places.

What happens when Internet Explorer visits an infected IIS site? The site puts a payload in the 'footer' of the HTML pages - something it can do because it in a mysterious way has been able to reconfigure IIS to allow it. The payload is an executable for the Windows platform which installs itself, changes its name, and extracts a DLL as well. It then runs the DLL in kernel mode to inject code into system DLLs with the WriteMemory API so that when it exits there's no sign of anything out of the ordinary anywhere.

But the trojan has a keystroke logger onboard, and the keystroke logger begins amassing credit card numbers, bank account numbers, passwords for online banking, and so forth.

So consider the following scenario: John Q Luser visits his bank online. The bank site is infected. John's computer gets the stealth download and the keystroke logger is installed. Now John logs into his bank site. And submits his password.

Game over.

Part of the vulnerability on the client side has been known by Microsoft since August of last year. Microsoft have still not offered a patch. Admittedly people are getting tired of Microsoft's patches and their all too risky software, but still and all. The other part of the client side vulnerability is also a hole Microsoft have no patch for.

Strike two.

The official Microsoft response has been to downplay the fact that they've been caught yet again with their panties down and to recommend people tighten their browser security and only accept plain text email (Outlook and Outlook Express render HTML email with the same vulnerable Internet Explorer engine). The message from more honest security resources has been clearer: abandon Internet Explorer. And as for Microsoft's suggestion that Internet Explorer users also invest in a popup stopper - Internet Explorer is today the only major browser that doesn't have one already built in.

It's very safe to say that surfing the web today with a Windows machine and Internet Explorer should simply not be done. It can't be 100% certain that one will be infected under these circumstances and see one's life savings evaporate, but it is certain that by not using these products one is immeasurably safer. The best bet for diehard Windows users is to try Mozilla's new Firefox - it comes with all the Teletubbie graphics Windows XP users love, and it's lean, mean, and fast. It's perhaps the best browser available anywhere today.

As for email, Firefox has its companion Thunderbird, but resorting to webmail for the time being (but absolutely not with Internet Explorer) can be an alternative.

Until more is known about this attack, Windows users should keep a very low profile. The rest of us can let you know when the coast is clear again.

Update 26 June 2004

The Neverland server hosting the keystroke logger has been shut down. Infected IIS sites will still hit vulnerable Windows clients, but the payload will no longer be found - for now.

'This stops the problem for the short term', said Alfred Huger, senior director of engineering for security company Symantec. 'However, it just takes a new culprit to come along and do the same thing all over again.'

Considering that the attack involves three vulnerabilities and Microsoft only have patches for two, things could still take a turn for the worse.

But for now all Microsoft users have to worry about is staying infection free as they navigate to the Windows Update site to get their latest fix against Sasser, Blaster, and all of the countless other parasites out there.

Links

Berbew/Webber/Padodor Trojan Analysis
http://www.lurhq.com/berbew.html
The definitive story on the attack.

A number of sites are reporting malicious javascript code being appended to every page served by their IIS server. Some in the press are speculating that there is a new 'zero-day' IIS vulnerability circulating.

Name: msits.exe, renamed on install
Size: 51,712 bytes

The trojan is installed via the ADODB/javascript redirection exploit for Internet Explorer for which there is no current patch. When a user visits an infected IIS server using IE, the trojan will be downloaded from a Russian webserver and executed in the background. It copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the EXE at boot time using the ShellServiceObjectDelayLoad Registry key.

The trojan appears to be designed for the purposes of 'phishing', that is, stealing financial and other account details from the infected user. While most phishing is done via email, this trojan directly captures password and logins if the infected user attempts to log in to Ebay or Paypal and also Earthlink, Juno and Yahoo webmail accounts.

The trojan has some rudimentary rootkit functionality; by patching in-memory DLLs using the PhysicalMemory device it will not show up in the Windows task manager list. [<- If you didn't get that last bit, get it now: this is serious. Very serious. These guys are running rings around Microsoft.]

Where The Payload Comes From (Do NOT Use This Link)
http://217.107.218.147:80
And this is a duly registered, fully legit site in Russia. Needless to say, be on the lookout for any traffic with this IP block.

inetnum:      217.107.218.0 - 217.107.218.255
netname:      E-NEVERLAND-NETWORK-1
descr:        E-Neverland Network Company
descr:        Malaya Dmitrovka st., 12/1
country:      RU

Researchers warn of infectious Web sites
http://zdnet.com.com/2100-1105_2-5247187.html
Security researchers warned Web surfers on Thursday to be on guard after uncovering evidence that widespread Web server compromises have turned corporate home pages into points of digital infection.

Increase Your Browsing and E-Mail Safety
http://www.microsoft.com/security/incident/settings.mspx
Be careful here: Microsoft are guarding their backsides.

What You Should Know About Download.Ject
http://www.microsoft.com/security/incident/download_ject.mspx
Likewise: note MS don't even use the same name. That's because no matter what they attempt to imply, THEY DO NOT HAVE A PATCH.

Pop-up toolbar spreads via IE flaws
http://zdnet.com.com/2100-1105_2-5229707.html
Earlier story on same topic.

Two Domains To Boycott Completely (DO NOT CLICK)
i-lookup.com, iclicks.net
These sites are suspected of being involved in the attack.

Web hosting company confirms hack attack
http://zdnet.com.com/2100-1105_2-5076050.html
Another related story - experts were still trying to put the pieces together.

Berbew Report At The Internet Storm Center
http://isc.sans.org/diary.php?date=2004-06-24
For once they don't have all the information, but they're an important resource.