More than 100 Web servers are still distributing the "Scob" malicious code, first identified two weeks ago as code used in a widespread attack to plant Trojan horse programs on vulnerable computers.
That attack compromised Microsoft IIS Web servers to distribute the Trojan horse programs, and prompted the software giant to put out an official warning about the problem.
Enterprise security software maker Websense discovered 114 websites distributing variations of "Scob" or "Download.Ject". Whereas the attack initially targeted only Web servers running IIS Version 5, the majority of infected sites now run IIS Version 6, after administrators upgraded the systems, unaware their servers were already infected, said Dan Hubbard, director of security and technology research at Websense.
Websense said it discovered the infected sites during its daily "mining" of more than 24 million websites. The company modified its mining algorithms on 24 June to search for sites distributing the Scob code, and has been monitoring such sites ever since.
The 100 affected sites are all running either IIS 5.0 or 6.0. Attack code distributed by the infected servers still points to websites used in the attack, which were taken off-line shortly after news of the original attacks spread, meaning that the continued malicious code attacks have probably not resulted in new Trojan infections, Hubbard said.
The Scob attacks have been attributed to a Russian hacking group known as the "hangUP team", which used a recently patched buffer overflow vulnerability in Microsoft's implementation of SSL to compromise vulnerable Windows 2000 systems running IIS Version 5. Companies that failed to apply a recent security software patch, MS04-011, were vulnerable to compromise.
The June attacks also used two vulnerabilities in Windows and Explorer to silently run the malicious code, redirecting people to websites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.
One of those vulnerabilities was an unpatched IE hole that used a Windows component called ADODB.Stream to force Explorer to load insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts.
On 2 July, Microsoft pushed out changes that altered the configuration of Windows 2000, XP and Windows Server 2003 to help customers fight off the Scob attacks, disabling ADODB.Stream. The company is also planning a number of software patches, including a patch for a gaping Explorer hole in coming weeks, and may release those outside of its monthly security patch schedule, the company said.
Hubbard declined to name the infected websites, but said none were "high profile" or popular enough to be listed among the 500 most-visited websites.
While the IIS 6 infections appear to be the result of upgrades to already-infected IIS servers, there are other ways that IIS 6 Web servers could be infected with Scob, according to a Microsoft spokeswoman. Among other things, users with rights to publish to an IIS 6 server who also have rights on an infected IIS 5.0 server could transfer infected Web pages from one server to the other. Alternatively, IIS servers running Version 5 without the patch that upgraded to IIS Version 6 could also be vulnerable to attack. Microsoft is not aware of any direct infection of IIS 6.0 servers.
Hubbard has spoken to five different Webmasters of infected sites. Each had recently upgraded to IIS 6.0 for a variety of reasons and was "surprised" to hear that they had been infected with Scob.