IIS/IE vuln attack; MAILsweeper update; Domino flaws

This issue's topics: Introduction: * IIS/IE vuln attack; MAILsweeper update; Domino flaws; May phishing report Virus News: * Keylogger installed via unpatched IE vuln; from owned IIS boxes * Hungarian virus writer sentenced Security News: * Multiple secuirty and stability patches for MAILsweeper * Two Domino server problems to go unfixed for now * Only small rise in phishing attacks in May

This issue's topics:

Introduction:

* IIS/IE vuln attack; MAILsweeper update; Domino flaws; May phishing report

Virus News:

* Keylogger installed via unpatched IE vuln; from owned IIS boxes

* Hungarian virus writer sentenced

Security News:

* Multiple secuirty and stability patches for MAILsweeper

* Two Domino server problems to go unfixed for now

* Only small rise in phishing attacks in May

Introduction:

My editors are breathing down my neck again, so a very brief intro this week...

The big news of the week (though quite overhyped in many places and with much misinformation about it floating around) has to be the 'IIS hack and IE keylogger installation' story from late last Friday. The long item in the virus section covers this incident in some detail. Also in that section, news of the sentencing of another virus writer - the HUngarian teenager responsible for writing and releasing Magold earlier in the year has had his day in court.

On the security front, Domino server administrators should read the item about two possible problems they may face in Domino that IBM has no plans to fix anytime soon and MAILsweeper sites should consider getting the latest update that includes several security-related fixes. Finally, for some light weekend reading, the May 'phishing report' from the Anti-Phishing Working Group may be of interest to some of our readers.

Virus News:

* Keylogger installed via unpatched IE vuln; from owned IIS boxes

Last weekend was a bad one for Microsoft. Reports swirled of keyloggers being installed on victim machines via a new IE vulnerability Microsoft has not released a patch for yet. Worse, the web pages serving up these exploits had apparently being compromised in some way and their configurations changed to send the IE-compromising code.

In fact, two different IE vulnerabilities were targeted by the exploit code placed on compromised IIS 5.0 servers. One vulnerability has already been fixed in the latest IE security patch (MS04-014) but the other is a new exploit discoevred in use in the wild a couple of weeks ago that Microsoft has not released a patch for yet. Murmurings from inside the Microsoft Security Response Center suggest that such a patch will be released just as soon as it is available, but given the time that passed between the discovery of the first vulnerability exploited in thie latest atatck and the release of MS04-014, and the fact that this vulnerability was extensively exploited by spammers, viruses and spyware spreaders in the intervening time, your newsletter compiler does not suggest holding your breath awaiting this new patch.

Precisely how the IIS servers dishing up the modified web pages that tried to exploit these two IE vulnerabilities were compromised is unknown, although they seem more likely to have been manual attacks and ot the work of a worm as was originally rumoured. Utility programs and associated files found on some of those servers show that regardless of how they were compromised, the servers' IIS configurations were altered to enable the 'footer' function in IIS, causing the server to add some extra HTML scripting code to the end of all the files it served. This included graphic files such as .JPG and .GIF files, leading to early reports incorrectly suggesting that there was an exploit of an unknown graphics file format bug in IE going round.

The additional HTML and scripting code added by the IIS server as a page footer caused web browsers to download a page from a Russian server and, in turn, that page contained the code exploiting the two IE vulnerabilities. Some of the usual antivirus vendor decriptions linked below include two links, as they describe the keylogger the Russian site tried to install separately from the web page code that actually downloaded the keylogger via the two IE vulnerabilities. The incident was fairly short-lived as access to the Russian server hosting the malicious components (the installer scripts and keylogger) was quickly shutdown.

Finally, this incident seems to have moved the CERT Co-ordination Center (CERT/CC) to a very strong stand on the desira bility, or otherwise of running IE as a web browser. In its Vulnerability Note (linked below) describing the new IE cross- domain vulnerability exploited by Scob, CERT/CC suggests the extreme step of using 'a different web browser' as a suitable workaround to avoid this vulnerability. The vulnerability note adds '[t]here are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser, especially when browsing untrusted sites. Such a decision may, however, reduce the functionality of sites that require IE-specific features such as DHTML, VBScript, and ActiveX. Note that using a different web browser will not remove IE from a Windows system, and other programs may invoke IE, the WebBrowser ActiveX control, or the HTML rendering engine (MSHTML)'. This is advice your newsletter compiler has been promoting for several years now.

IE does not properly validate source of redirected frame - cert.org

What You Should Know About Download.Ject - microsoft.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Trend Micro Virus Information Center

* Hungarian virus writer sentenced

Publicly identified only as 'Laszlo K' because his age at the time of the offence made him a minor under Hungary's criminal code, the writer of the Magold viruses has been sentenced to one year of juvenile prison. However, Veszprem City Court has commuted that sentence to two years probabtion.

Hungarian virus writer avoids jail - theregister.co.uk

Security News:

* Multiple secuirty and stability patches for MAILsweeper

ClearSwift has released Technology Update 1.4.14 for its e-mail content filtering product MAILsweeper for SMTP, bringing all 4.3.x versions with SP2 installed up to version 4.3.14. This fixes several security, stability and performance issues and is recomended to all MAILsweeper 4.3.x users.

ReadMe for MAILsweeper for SMTP 4.3.14 - mimesweeper.com

* Two Domino server problems to go unfixed for now

In the last few days two issues with Domino that IBM is said to be aware of, but for which no fix is planned until at least the release of Domino 7.0, have been reported to the Bugtraq mailing list.

The first, and more serious, results in a potental denial of service against the entire Domino server. The entire server process reportedly crashes, requiring a restart to restore any Domino service, when a user tries to read an 'over large' e-mail message via Domino Web Access. It appears that no precise message size is known to be 'too big' and for the meantime, short of disabling Web Access, IBM recommends setting a maximum message size so over-large messages cannot be delivered in the first place.

The second is the ability of any Domino user with IMAP or IMAPS access to the messagestore to arbitrarily alter their storage quota limit, including increasing it beyond what the system administrator may have set it to.

Both links below are to archived copies of Bugtraq mailing list messages.

DoS against Domino 6.5.1 - securityfocus.com

Unprevileged [sic] user can change quota on Domino - securityfocus.com

* Only small rise in phishing attacks in May

The Anti-Phishing Working Group (APWG) has released its analysis of phishing scams reported in May. Although one month is too short a time to say for sure, it appears that the previously rapid growth in such 'attacks' may be levelling off. Even if that's the case though, we are a long way from reversing, or better yet, eliminating such problems.

Phishing Attack Trends Report May, 2004 - antiphishing.org (~220KB PDF)

Join the newsletter!

Error: Please check your email address.

More about CA TechnologiesCERT AustraliaF-SecureIBM AustraliaMicrosoftSophosSymantecTechnologyTrend Micro Australia

Show Comments
[]