July 12, 2004 - Current Activity

US-CERT is aware of activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and end-user systems that visit these sites.

IIS Web Servers
Compromised sites are appending JavaScript to the bottom of web pages. Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

End-User Systems
When an end-user visits a web site that has been compromised, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

Microsoft has released an important security update for Internet Explorer (IE). This update reduces the impact of attacks against several vulnerabilities in IE. For additional information, please refer to TA04-184A and VU#713878.

US-CERT continues to receive reports of variants of a worm known as "W32/Korgo" or "W32/Padobot". This worm attempts to exploit a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). This vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

This worm propagates by scanning random IP addresses on port 445/tcp to identify vulnerable systems. Upon finding a vulnerable system, the worm will attempt to exploit the LSASS vulnerability. If successful, the worm will open a connection on port 113/tcp or port 3067/tcp and may attempt to connect to a list of pre-determined IRC servers.

US-CERT strongly encourages users to install and maintain anti-virus software as well as patch their systems to prevent exploitation of this vulnerability.

You may also wish to visit the US-CERT computer virus resources page.

US-CERT continues to receive reports of a worm known as "W32/Sasser". This worm attempts to exploit a buffer overflow vulnerability in the Windows Local Security Authority Service Server (LSASS). The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information on this vulnerability is available in Vulnerability Note VU#753212 and Microsoft Security Bulletin MS04-011.

The worm has been reported to propagate by scanning random IP addresses on port 445/tcp to identify vulnerable systems. When a vulnerable system is found, the worm will exploit the LSASS vulnerability, create a remote shell on port 9996/tcp, and start an FTP server on port 5554/tcp. The victim system will then connect back to the attacking system on port 5554/tcp to retrieve a copy of the worm. Systems infected by this worm may notice significant performance degradation.

US-CERT strongly encourages users to install anti-virus software, and keep its virus signature files up-to-date.

You may also wish to visit the US-CERT computer virus resources page.

Exploit code has been publicly released that takes advantage of a buffer overflow vulnerability in the Microsoft Private Communication Technology (PCT) protocol. The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information about the vulnerability is available in TA04-104A and VU#586540.

US-CERT is aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp. Note that the exploit code could be modified to use a different port or to execute different code.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-011.

US-CERT is aware of exploitation of a cross-domain scripting vulnerability in the Outlook Express MIME Encapsulation of Aggregate HTML Documents (MHTML) protocol handler. The MHTML protocol handler is installed as part of Outlook Express and uses Internet Explorer (IE) to access mhtml: URLs. Microsoft Windows systems install Outlook Express, IE, and the vulnerable MHTML handler by default.

By convincing a victim to view an HTML document (web page, HTML email), an attacker could execute arbitrary code with the privileges of the user running IE and possibly read or modify content in another web site.

More information about the vulnerability is available in TA04-099A and VU#323070.

This vulnerability appears to be exploited by the Ibiza trojan, W32/Bugbear.E, and various web sites that host malicious URLs and related malware. Exploits also may be identified as BloodHound.Exploit.6. Attackers may distribute malicious URLs in unsolicited email, instant messages, chat rooms, or web forums. Attackers may also distribute exploits in HTML email messages.

This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-013. For additional protection against these types of attacks, do not click on unsolicited links and maintain updated anti-virus software.

Please see US-CERT Incident Note IN-2004-02 for more information.

US-CERT strongly encourages users to install and maintain anti-virus software. We also encourage users to exercise discretion when opening any email attachment.

You may also wish to visit the US-CERT's computer virus resources page.