Windows & .NET Magazine UPDATE--Understanding Download.Ject--July 6, 2004

Make sure your copy of Windows & .NET Magazine UPDATE doesn't get mistakenly blocked by antispam software! Be sure to add [email protected] to your list of allowed senders and contacts.

This Issue Sponsored By

Free Download! New Sitekeeper(R) 3.1

Security Administrator


1. Commentary: Understanding Download.Ject

2. Hot Off the Press
- Massachusetts Loses Microsoft Antitrust Appeal

3. Resources
- How Many Servers?
- Tip: Can I switch an Active Directory (AD) domain from native mode to mixed mode?

4. New and Improved
- Secure Network Access
- Check Downloaded Files for Viruses
- Tell Us About a Hot Product and Get a T-Shirt!

==== Sponsor: Free Download! New Sitekeeper(R) 3.1 ====

Keeping track of your software licenses and staying up-to-date with the latest patches is a pain -- especially if you have to do it manually. But unless you stay on top of licenses and patches, you're opening your site up to legal action and security breaches. *** NEW Sitekeeper 3.1 is the simple, affordable way to automate your systems management. Sitekeeper handles hardware and software inventories, license compliance reports and software/patch installation with just a few clicks of your mouse. No special training or dedicated hardware needed—in fact, you can start managing within minutes of installation. It's systems management software -- simplified!
Try Sitekeeper FREE—click on


==== 1. Commentary: Understanding Download.Ject ====
by Paul Thurrott, News Editor, [email protected]

Last week, I mentioned an insidious new electronic attack, which appeared to exploit vulnerabilities in both Microsoft Internet Information Services (IIS) 5.0 and Microsoft Internet Explorer (IE), marking the first time malicious users have initiated one attack that uses two different attack vectors--a server-side attack and a client-side attack. This week, I have more information about the attack and Microsoft's first, half-hearted response. The software giant says a formal patch is forthcoming, however.

Download.Ject: What Really Happened
According to Microsoft, customers began reporting the Download.Ject electronic attack the week of June 21, 2004. The attack targets Windows 2000 Server systems running unpatched versions of IIS 5.0; specifically, Download.Ject appears to target the vulnerabilities Microsoft patched with Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) and Microsoft Security Bulletin MS04-013 (Cumulative Security Update for Outlook Express). The malicious code inserts JavaScript code on unpatched systems--code that redirects users to an offsite Web server. That server uses a previously unknown IE vulnerability to install code on client-side systems that can record keystrokes--gathering such private information as passwords and credit card numbers.

On June 24, Microsoft issued its first response, announcing that it had shut down the Russian Web server that was initiating the attacks; this server was the one that users were being redirected to as well, so its removal effectively shut down the initial attack. However, the still-unpatched IE vulnerability means that users are open to similar attacks, and because many unpatched IIS installations are likely still operating around the world, this type of two-pronged attack will likely be imitated soon. An anxious Windows nation awaits a formal Microsoft response. To date, that response has been somewhat disappointing.

Microsoft's First Response: Configuration Change
On July 2, more than 1 week after Microsoft announced its successful take down of the Russian Web server, the company issued an unprecedented first response to the unpatched IE vulnerability. But Microsoft didn't actually patch the problem, although it says it's busy working on a true patch and will release the patch as soon as possible. Instead, the company issued a "configuration change" through Windows Update for Windows Server 2003, Windows XP, and Win2K that "improves system resiliency to protect against the Download.Ject attack," according to a Microsoft posting. The company also provided general information about securing Windows systems: Use a firewall, keep your antivirus solution up-to-date, and visit Windows Update.

So what is this configuration change? Essentially, it's a registry change that disables the ADODB.Stream object in IE. This object represents a file in memory and is used to read and write binary files and text files. The Download.Ject attack exploits a vulnerability in IE and uses the ADODB.Stream object's intended functionality to execute scripts with local privileges (typically administrator-level privileges because virtually all Windows users are running an administrator-type account). By disabling the ADODB.Stream object in IE, Microsoft is effectively undermining the Download.Ject attack on the client side. If you're interested in more information about this configuration change, the Microsoft article "How to disable the ADODB.Stream object from Internet Explorer" ( ) describes how to manually achieve the same result. The company is also providing information to help you determine whether your system is infected and instructions for cleaning an infected system (

Still to Come: A Proper Patch
As noted previously, a proper patch is still forthcoming. "The security of our customers' computers and networks is a top priority for Microsoft, and we have been working around-the-clock to further address the criminal \[malicious software\] malware targeting Internet Explorer users," the company noted in a related security bulletin. "In addition to this configuration change, which will protect customers against the immediate reported threats, Microsoft is working to provide a series of security updates to Internet Explorer in coming weeks that will provide additional protections for our customers. Later this summer, Microsoft will release Windows XP Service Pack 2, which includes the most up-to-date network, Web browsing and e-mail features designed to help protect against malicious attacks and reduce unwanted content and downloads. A comprehensive update for all supported versions of Internet Explorer will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."

In other words, it's going to be a while, so hang tight. I'm concerned by the fact that the company can't fix this problem more quickly, and naturally, the timing for this exploit is tough, with XP Service Pack 2 (SP2) due by the end of July or early August. This attack simply cements my belief that SP2 is a stopgap measure and that true security for Windows is as elusive as ever. Have I mentioned recently what a bad idea it was to integrate IE into the core OS?

Small Update on My Trojan Troubles
Speaking of unresolved security concerns, I've had several readers ask about my Trojan attack. Sadly, nothing much has happened: A spate of IE vulnerabilities in mid-June that sounds eerily similar to the problem I experienced have yet to be patched (much like the IE vulnerability discussed earlier; anyone see a trend developing here?), so I've imaged the infected machine with Symantec's Drive Image 7.0(formerly owned by PowerQuest), run a secure erase on the hard disk with V Communications' (VCOM's) SecurErase, and reinstalled Windows. I'll wait to see what the expected Microsoft patch does, but I'm not expecting much. I'm sorry I haven't been able to provide more information about solving this problem.


==== Sponsor: Security Administrator ====

Try a Sample Issue of Security Administrator!
Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here!


==== 2. Hot Off the Press ====
by Paul Thurrott, [email protected]

Massachusetts Loses Microsoft Antitrust Appeal
Massachusetts, the sole remaining nonsettling state in Microsoft's epic US antitrust case, received a stinging legal defeat last week when the US Court of Appeals for the District of Columbia Circuit shut down the state's appeal attempt. In a tersely worded ruling, the court rejected the state's argument that the Microsoft settlement didn't curb the software giant's voracious anticompetitive behavior. To read the complete story, visit the following URL:

==== Announcements ====
(from Windows & .NET Magazine and its partners)

Online Resource for SQL Server DBAs and Developers
Visit the SQL Server Magazine Web site and experience a helpful resource offering the easy-to-find SQL Server solutions, news, guidance, and how-to information you're looking for. Reference lists of active forums, hot topic discussions, keyword searches, free Web seminars, FAQs, and much more. The site also features Web-exclusive columns by Itzik Ben-Gan. Check it out:

Windows Connections October 24-27, Orlando, Florida.
Save these dates for the Fall 2004 Windows Connections conference, which will run concurrently with Microsoft Exchange Connections. Register early and receive admission to both conferences for one low price. Learn firsthand from Microsoft product architects and the best third-party experts. Go online or call 800-505-1201 for more information.

New Free Web Seminar--Securing Your Windows and Exchange Environments
Everyone has a network-configured firewall and an up-to-date antivirus scanner, yet malware attacks still happen. In this free Web seminar, Roger Grimes and Steve Bryant will address Windows Server 2003 and Exchange Server 2003 security challenges and help secure your systems the right way. Register now!

Did You Miss the Live Microsoft Security Strategies Roadshow?
Microsoft has teamed with Avanade and Network Associates to bring you the on-demand Webcast from the Microsoft Security Strategies Roadshow tour. Join industry guru Mark Minasi and learn more about tips to secure your Windows Server 2003 and Windows 2000 network, plus more! Register now.

==== Instant Poll ====

Results of Previous Poll: Download.Ject Trojan
The voting has closed in Windows & .NET Magazine's nonscientific Instant Poll for the question, "Did the Download.Ject Trojan affect your home computers or your company's computers?" Here are the results from the 272 votes:
- 3% Yes, the Trojan hit my company's computers
- 3% Yes, the Trojan hit my home computers
- 3% Yes, the Trojan hit both my company's computers and my home computers
- 91% No, the Trojan hit neither my home computer nor my company's computers

New Instant Poll: Security Bulletin Notification Service
The next Instant Poll question is, "Do you subscribe to the Microsoft Security Notification Service?" Go to the Windows & .NET Magazine home page and submit your vote for a) Yes, b) No, but I plan to, or c) No, and I don't plan to.

==== 3. Resources ====

Featured Thread: How Many Servers?
Forum user rpenhale is looking for help restructuring his network at a secondary school. He wants to know how many servers to use to provide service to about 500 PCs. If you can help, join the discussion at the following URL:

Tip: Can I switch an Active Directory (AD) domain from native mode to mixed mode?
by John Savill,

After you've changed an AD domain to native mode, it remains in native mode. You can't perform an authoritative restore to change the AD domain from native mode to what it was before the switch (i.e., mixed mode).

If you haven't yet changed from mixed to native mode and believe you might want to switch back at some point, you should take one of the domain controllers (DCs) offline (thereby ensuring that it doesn't hold any of the Flexible Single-Master Operation--FSMO--roles), then perform the switch to native mode. Should you need to switch the AD domain back to mixed mode, perform the following steps: 1. Turn off all the DCs. 2. Turn on the offline mixed-mode DC you set aside. 3. Use Ntdsutil to give that DC all the FSMO roles. 4. Rebuild all the other DCs from scratch; don't bring them online as DCs.

Be aware that some applications might have switched to native-mode compatibility and thus won't work when the domain is returned to mixed mode.

==== Events Central ====
(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004
In this free Roadshow, you'll discover trends in the wireless and mobility industry and come away with a better understanding of wireless and mobility solutions. And, talk first hand about your wireless projects with leaders in the industry. See proven wireless and mobile solutions in action. Register now!

==== 4. New and Improved ====
by Angie Brew, [email protected]

Secure Network Access
IS Decisions released UserLock 3.0, software that secures access to Windows 2003/XP/2000/NT networks. UserLock tracks, notifies, and reports the logon and logoff activity of your domains and limits the number of simultaneous connections under the same username on a network. The product features printable reports about user-sessions history and sessions statistics, email or pop-up notifications about successful and unsuccessful logons and logoffs, and the ability to remotely log off users from the UserLock console. UserLock supports workstation and terminal sessions. You can download a free trial version from the vendor's Web site. For pricing, contact IS Decisions at [email protected]

Check Downloaded Files for Viruses GFI announced an update to GFI DownloadSecurity for ISA Server 6.0 to support Microsoft Internet Security and Acceleration (ISA) Server 2004. GFI DownloadSecurity is a content-security product that scans all downloaded files for viruses, then lets you decide which files can enter your network. The software lets you configure rule sets based on file type and user. The product includes multiple antivirus engines, a Trojan & Executable Scanner, and networkwide blocking of Java applets and ActiveX controls. The product will launch when ISA Server 2004 is released. GFI DownloadSecurity pricing starts at $315 for 25 users and includes 1 year of free antivirus engine updates. Contact GFI at 919-379-3397 or 888-243-4329.

Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

==== Sponsored Links ====

Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?


==== Contact Us ====

About the newsletter -- [email protected] About technical questions -- About product news -- [email protected] About your subscription -- [email protected] About sponsoring UPDATE -- [email protected]


==== Contact Our Sponsors ====

Primary Sponsor:
Executive Software --


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

View the Windows & .NET Magazine Privacy policy at Windows & .NET Magazine a division of Penton Media, Inc. 221 East 29th Street, Loveland, CO 80538, Attention: Customer Service Department Copyright 2004, Penton Media, Inc. All Rights Reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.