Understanding Download.Ject

Last week, I mentioned an insidious new electronic attack, which appeared to exploit vulnerabilities in both Microsoft Internet Information Services (IIS) 5.0 and Microsoft Internet Explorer (IE), marking the first time malicious users have initiated one attack that uses two different attack vectors--a server-side attack and a client-side attack. This week, I have more information about the attack and Microsoft's first, half-hearted response. The software giant says a formal patch is forthcoming, however.

Download.Ject: What Really Happened
According to Microsoft, customers began reporting the Download.Ject electronic attack the week of June 21, 2004. The attack targets Windows 2000 Server systems running unpatched versions of IIS 5.0; specifically, Download.Ject appears to target the vulnerabilities Microsoft patched with Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) and Microsoft Security Bulletin MS04-013 (Cumulative Security Update for Outlook Express). The malicious code inserts JavaScript code on unpatched systems--code that redirects users to an offsite Web server. That server uses a previously unknown IE vulnerability to install code on client-side systems that can record keystrokes--gathering such private information as passwords and credit card numbers.

On June 24, Microsoft issued its first response, announcing that it had shut down the Russian Web server that was initiating the attacks; this server was the one that users were being redirected to as well, so its removal effectively shut down the initial attack. However, the still-unpatched IE vulnerability means that users are open to similar attacks, and because many unpatched IIS installations are likely still operating around the world, this type of two-pronged attack will likely be imitated soon. An anxious Windows nation awaits a formal Microsoft response. To date, that response has been somewhat disappointing.

Microsoft's First Response: Configuration Change
On July 2, more than 1 week after Microsoft announced its successful take down of the Russian Web server, the company issued an unprecedented first response to the unpatched IE vulnerability. But Microsoft didn't actually patch the problem, although it says it's busy working on a true patch and will release the patch as soon as possible. Instead, the company issued a "configuration change" through Windows Update for Windows Server 2003, Windows XP, and Win2K that "improves system resiliency to protect against the Download.Ject attack," according to a Microsoft posting. The company also provided general information about securing Windows systems: Use a firewall, keep your antivirus solution up-to-date, and visit Windows Update.

So what is this configuration change? Essentially, it's a registry change that disables the ADODB.Stream object in IE. This object represents a file in memory and is used to read and write binary files and text files. The Download.Ject attack exploits a vulnerability in IE and uses the ADODB.Stream object's intended functionality to execute scripts with local privileges (typically administrator-level privileges because virtually all Windows users are running an administrator-type account). By disabling the ADODB.Stream object in IE, Microsoft is effectively undermining the Download.Ject attack on the client side. If you're interested in more information about this configuration change, the Microsoft article "How to disable the ADODB.Stream object from Internet Explorer" ( http://support.microsoft.com/?kbid=870669 ) describes how to manually achieve the same result. The company is also providing information to help you determine whether your system is infected and instructions for cleaning an infected system (http://www.microsoft.com/security/incident/download_ject.mspx).

Still to Come: A Proper Patch
As noted previously, a proper patch is still forthcoming. "The security of our customers' computers and networks is a top priority for Microsoft, and we have been working around-the-clock to further address the criminal \[malicious software\] malware targeting Internet Explorer users," the company noted in a related security bulletin. "In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers. Later this summer, Microsoft will release Windows XP Service Pack 2, which includes the most up-to-date network, Web browsing and e-mail features designed to help protect against malicious attacks and reduce unwanted content and downloads. A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."

In other words, it's going to be a while, so hang tight. I'm concerned by the fact that the company can't fix this problem more quickly, and naturally, the timing for this exploit is tough, with XP Service Pack 2 (SP2) due by the end of July or early August. This attack simply cements my belief that SP2 is a stopgap measure and that true security for Windows is as elusive as ever. Have I mentioned recently what a bad idea it was to integrate IE into the core OS?

Small Update on My Trojan Troubles
Speaking of unresolved security concerns, I've had several readers ask about my Trojan attack. Sadly, nothing much has happened: A spate of IE vulnerabilities in mid-June that sounds eerily similar to the problem I experienced have yet to be patched (much like the IE vulnerability discussed earlier; anyone see a trend developing here?), so I've imaged the infected machine with Symantec's Drive Image 7.0(formerly owned by PowerQuest), run a secure erase on the hard disk with V Communications' (VCOM's) SecurErase, and reinstalled Windows. I'll wait to see what the expected Microsoft patch does, but I'm not expecting much. I'm sorry I haven't been able to provide more information about solving this problem.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.