Vulnerable IIS Sites and IE Users Under Attack

A new form of attack is spreading around the Internet, but to what extent remains unknown at the time of this writing. The attack affects unpatched Microsoft IIS systems, which are then made to attack unprotected Microsoft Internet Explorer (IE) systems.

Intruders use an overflow condition in IIS to compromise an unpatched system. The vulnerability is related to the Private Communications Transport (PCT) in Microsoft's Secure Sockets Layer (SSL) library. Malicious Javascript code is inserted into a Web page and when unprotected IE users visit the compromised Web page, IE might run the Javascript code on the user's system. The code then injects the system with the attackers code of choice.

Administrators should install Microsoft patch MS04-011 to protect IIS. According to iDEFENSE, IE users are being compromised using a combination of two vulnerabilities, one of which is related to a problem in MIME Encapsulated Aggregate HTML (MHTML) and the other related to ADODB. Microsoft made a patch available for the MHTML issue (MS04-013), however there is no patch available yet for the ADODB vulnerability. IE users should consider disabling Active scripting in IE to protect their systems against these attacks.

Microsoft published an article, "Download.Ject" for users who might be infected by this particular attack. In the article Microsoft said that if users search their systems and find two files, kk32.dll and surf.dat, then the files probably indicate the system is infected. Microsoft recommends that users clean their systems using a virus scanning tool.

LURHQ, a managed security services provider, published a detailed analysis of the attack, which the company said installs the Berbew/Webber/Padodor Trojan on users' systems. The company said that when a user visits a compromised Web site, the Trojan will be downloaded from a Russian Web server, and the Trojan then "copies itself to the system directory using a random name, and also extracts a DLL file which acts as a loader for the [executable file] at boot time using the ShellServiceObjectDelayLoad registry key."

LURHQ said the Trojan is designed for "phishing" attacks, in which it gathers logon information from users who log on to eBay, Paypal, Earthlink, Juno, and Yahoo Web mail. The company said the Trojan might also create fake pop-up windows to entice users to enter credit card information and associated PIN numbers. The Trojan also hides itself from the process list by patching certain DLLs already loaded into memory. The company also made available a list of steps for manual removal of the Trojan from infected systems, as well as a Snort intrusion detection signature (seen below) that administrators can add to their Snort installations.

alert tcp any any -> any 80 (msg:"Webber/Berbew trojan keystroke log upload"; flow:established; content:"id=crutop|26|vvpupkin0="; depth:20; classtype:trojan-activity; reference:url,www.lurhq.com/berbew.html; sid:1000108; rev:1;)

End of Article

I appreciate your help in these matters. The simplicity in which you approach the resolutions of these issues is a lifesaver AND a timesaver for a non-techie like mayself. Thanks again.

Jeff June 26, 2004

It is too late for me. I have lost the use of Internet Explorer due to something called "incredifind". Every time I try to use IE 6.0, it goes to incredifind and then gives me the error message of not being able to find the page.

If you know, could you tell me how to take IE right out of my Windows XP Home. I would like to trash it and re-download it.

Anne Simon June 29, 2004

Response to Anne:
It really isn't possible to completely remove IE.
To solve your problem I would recommend trying 2 FREE tools:
Spybot (http://www.safer-networking.org
OR http://www.download.com/3000-8022-10122137.html) and AdAware (http://www.lavasoft.de/) to remove the malware. Be careful if you try to use other "free" spyware and adware removal tools... they often are spyware themselves!
I highly recommend the 2 tools listed above and use them myself.
Also, just as a general rule, make sure that you are running currently updated antivirus and have the latest updates from Microsoft installed on your machine. (windowsupdate.microsoft.com will check the updates for you)
Also, a quick search on Google for "incredifind" turned up a lot of suggestions and information. The following link explains what incredifind is: (watch the link wrapping)http://www.kephyr.com/spywarescanner/library/incredifind/index.phtml
So does this one and gives additional removal instructions if Spybot/Adaware don't get it:
http://www.2-spyware.com/parasite-incredifind.html
When you want to find out about something, Google is your friend! Hope that helps!!!

Nick June 29, 2004

Good article. I appreciate the links and the snort sig.
Here's a suggestion: an article about mitigation for the ADODB vulnerability. I don't think that just disabling Active Scripting in the Internet Zone cuts it.
I believe we will see more of these types of virus/spyware attacks through that browser hole... wouldn't it be nice to be able to say that you provided your readers with the ability to prevent/mitigate infection when the next one of these comes to light?

Nick June 29, 2004

Anne - What you have is a browser hijacker..

IncrediFind

Overview
IncrediFind is an Internet Explorer browser helper object that hijacks your error page.

From the developer: IncrediFind is a free utility for Microsoft Internet Explorer version 5 or later that provides contextually-relevant search results in place of unfound and unavailable web pages, and allows users to search the web by simply typing any keywords or search terms in their Internet Explorer address bar.

Classification
Adware

Files
incfindbho.dll

Vendor
Incredifind.com

Privacy policy
No privacy policy available

Detection
Adaware and Spybot detects IncrediFind. You can download and run these for free.

Uninstall procedure
Uninstall IncrediFind from "Add/Remove Programs" in the Windows® Control Panel.

Manual removal
Please follow the instructions below if you would like to remove IncrediFind manually. Please notice that you must follow the instructions very carefully and delete everything that is mentioned. In most cases the removal will fail if one single item is not deleted. If IncrediFind remains on your system after stepping through the removal instructions, please double-check by stepping through them again.
Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Classes \ CLSID \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
Delete 'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Explorer \ Browser Helper Objects \ {5D60FF48-95BE-4956-B4C6-6BB168A70310}', if it exists.
Exit the registry editor.
Restart your computer.
Start Windows Explorer and delete:
%ProgramsDir%\IncrediFind\BHO\incfindbho.dll
Note: %ProgramsDir% is a variable (?). By default, this is C:\Program Files.
Start Microsoft Internet Explorer.
In Internet Explorer, click Tools -> Internet Options.
Click the Programs tab -> Reset Web Settings.

Eric June 29, 2004

This sounds too scary to be true, i am going to be extra vidulant now!

Tray June 29, 2004

I have tried al the Adware.. Installed Spybot as well as Ad-awear6 only to have the same problem. My tech support advised me to install Norton Internet Security, but that hasn't even helped. There was an article in my local paper describing this and ofering the suggestion to use a differnt browser such as Netscape or Motzilla... as both have applied patched already in place and this is not a problem with these two browers. So IE is gone and I've made Netscape my new browser. Not a thing as popped up yet so I'm happy!

Karen July 01, 2004

You must log on before posting a comment.

If you don't have a username & password, please register now.