Scob code still widespread, says security expert

More than 100 web servers are still distributing the "Scob" malicious code, first identified two weeks ago as code used in a...

More than 100 web servers are still distributing the "Scob" malicious code, first identified two weeks ago as code used in a widespread attack to plant Trojan horse programs on vulnerable computers.

The attack used compromised Microsoft Internet Information Services (IIS) web servers to distribute the Trojan horse programs.

Enterprise security software maker Websense discovered 114 websites distributing variations of a malicious JavaScript program known as "Scob", or "Download.Ject".

Whereas the attack initially targeted only web servers running IIS Version 5, the majority of infected sites now run IIS Version 6, after administrators upgraded the systems, unaware their servers were already infected, said Dan Hubbard, director of security and technology research at Websense.

Websense discovered the infected sites during its daily "mining" of more than 24 million websites, which the company uses to detect web- and internet-based threats. The company modified its mining algorithms on 24 June to search for websites distributing the Scob code, and has been monitoring such sites since then, he said.

The 100 affected sites are all running either IIS 5.0 or 6.0. Attack code distributed by the infected servers still points to websites used in the attack, which were taken off-line shortly after news of the original attacks spread, meaning that the continued malicious code attacks have probably not resulted in new Trojan infections, Hubbard said.

First detected on 24 June, the Scob attacks have been attributed to a Russian hacking group known as the "hangUP team", which used a recently-patched buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS Version 5 web servers.

Companies that used IIS Version 5 and failed to apply a recent security software patch, MS04-011, were vulnerable to compromise.

The June attacks also used two vulnerabilities in Windows and the Explorer web browser to silently run the malicious code distributed from the IIS servers on machines that visited the compromised sites, redirecting the customers to websites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data.

One of those vulnerabilities was an unpatched IE hole that used a Windows component called ADODB.Stream to force Explorer to load insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted website such as, according to experts.

Despite the apparent links of the infected sites to the June attacks, some of the infected servers are distributing variations of the malicious JavaScript code used in the June attacks and are distributing the code directly in HTML web pages served from IIS, rather than appending it to web pages as a "footer", as in the original attacks, Hubbard said.

Hubbard declined to name the infected websites, but said none were "high profile" or popular enough to be listed among the 500 most-visited websites.

Paul Roberts writes for IDG News Service

Read more on IT risk management