On June 24, 2004, a flaw in Microsoft IIS servers led to compromised webservers that redirected visitors to a malicious website hosted in Russia. That site exploited additional flaws in Internet Explorer to force downloads of Trojans onto the hijacked visitor's system. The malware residing on the impacted IIS servers was dubbed Download.Ject, JS.Scob.Trojan, JS.Toofeer, and the Scob Trojan depending on the antivirus vendor.
The Trojan downloaded after visitors were redirected to the Russian website has been identified as BackDoor-AXJ.dll by antivirus vendor Network Associates and Padodor.W by antivirus vendor F-Secure. According to Network Associates, the Trojan provides remote access to the infected system, creates a web proxy, and can automatically download other malicious files. According to F-Secure, the Trojan is used to steal passwords and credit card numbers from infected systems.
Microsoft released a patch for the IIS vulnerabilities in April 2004. The patch, MS04-011, would have prevented the webservers from being penetrated. Without it, the attackers were able to append exploit code to various files on the webserver. That code then forced users to another site exploiting MS04-013, a flaw that has routinely been used to deliver Trojans via email links that lead to booby-trapped websites. (See Scam emails deliver Trojaned goods). A second, as yet unpatched, flaw in Internet Explorer was also exploited in the Scob attacks.
Though the Scob attacks received widespread media attention, they were quite short-lived. The Russian site dishing up the Trojan was shutdown on the same date - June 24, 2004 - the attacks began. However, similar attacks via email remain quite prevalent. The websites used in those attacks vary. Similar to a phishing scam, the miscreant email attempts to lure the user into visiting a particular site. Unlike a phishing scam, however, instead of soliciting financial details, the site surreptitiously infects the visitor's system with Trojans used for remote-access, keylogging, or downloading further malicious files.
- See also: Scam emails deliver Trojaned goods
