A new form of attack is spreading around the Internet, but to what extent remains unknown at the time of this writing. The attack affects unpatched Microsoft IIS systems, which are then made to attack unprotected Microsoft Internet Explorer (IE) systems.
Intruders use an overflow condition in IIS to compromise an unpatched system. The vulnerability is related to the Private Communications Transport (PCT) in Microsoft's Secure Sockets Layer (SSL) library. Malicious Javascript code is inserted into a Web page and when unprotected IE users visit the compromised Web page, IE might run the Javascript code on the user's system. The code then injects the system with the attackers code of choice.
Administrators should install Microsoft patch MS04-011 to protect IIS. According to iDEFENSE, IE users are being compromised using a combination of two vulnerabilities, one of which is related to a problem in MIME Encapsulated Aggregate HTML (MHTML) and the other related to ADODB. Microsoft made a patch available for the MHTML issue (MS04-013), however there is no patch available yet for the ADODB vulnerability. IE users should consider disabling Active scripting in IE to protect their systems against these attacks.
Microsoft published an article, "Download.Ject" for users who might be infected by this particular attack. In the article Microsoft said that if users search their systems and find two files, kk32.dll and surf.dat, then the files probably indicate the system is infected. Microsoft recommends that users clean their systems using a virus scanning tool.
LURHQ, a managed security services provider, published a detailed analysis of the attack, which the company said installs the Berbew/Webber/Padodor Trojan on users' systems. The company said that when a user visits a compromised Web site, the Trojan will be downloaded from a Russian Web server, and the Trojan then "copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the \[executable file\] at boot time using the ShellServiceObjectDelayLoad registry key."
LURHQ said the Trojan is designed for "phishing" attacks, in which it gathers logon information from users who log on to eBay, Paypal, Earthlink, Juno, and Yahoo Web mail. The company said the Trojan might also create fake pop-up windows to entice users to enter credit card information and associated PIN numbers. The Trojan also hides itself from the process list by patching certain DLLs already loaded into memory. The company also made available a list of steps for manual removal of the Trojan from infected systems, as well as a Snort intrusion detection signature (seen below) that administrators can add to their Snort installations.
alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; sid:1000108; rev:1;)
