Full Disclosure mailing list archives
SV: New malware to infect IIS and from there jump to clients
From: "Peter Kruse" <kruse () krusesecurity dk>
Date: Fri, 25 Jun 2004 08:05:28 +0200
Hi Nick,
It does this via the now very old ms-its: protocol zone-handling bug... Apparently someone needs to decode a few more levels of JavaScript, etc to work this all out...
I donĀ“t think so. This looks a lot like the unpatched IE bug that was also exploited by the Ilookup trojan. See http://62.131.86.111/analysis.htm.
Consider to deny access to http://217.107.218.147 in your firewall. This will at least prevent client PCs from getting infected.Thanks Peter, but what about all the _other_ servers out there also hosting more or less exactly the same files? Are you going to provide a list of all those IPs too?
Why should I? I think you should look at the code again, Nick. When the javascript runs it will try to redirect you to a remote server http://217.107.218.147. This is where the MSITS.EXE and the javascripts are stored. As far as I know they do not reside on the compromised IIS servers, but simply pulls of the the payload from the remote host. Meanwhile the host is no longer available. Regards Peter Kruse _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: [FD] Evidence of a ISC being hacked? Thomas Binder (Jun 24)
- Re: Evidence of a ISC being hacked? Eric Paynter (Jun 24)
- New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Nick FitzGerald (Jun 24)
- SV: New malware to infect IIS and from there jump to clients Peter Kruse (Jun 24)
- Re: SV: New malware to infect IIS and from there jump to clients Duncan Hill (Jun 25)
- Re: SV: New malware to infect IIS and from there jump to clients Nasir Ghaznavi (Jun 25)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 24)
- Re: New malware to infect IIS and from there jump to clients Gary Flynn (Jun 25)
- RE: New malware to infect IIS and from there jump to clients joe (Jun 25)
- Re: New malware to infect IIS and from there jump to clients insecure (Jun 25)
- Re: New malware to infect IIS and from there jump to clients Matt Power (Jun 27)
- Re: Evidence of a ISC being hacked? VX Dude (Jun 24)
- Re: Evidence of a ISC being hacked? Valdis . Kletnieks (Jun 25)
- IE exploit runs code from graphics? Larry Seltzer (Jun 24)