Download.ject
Encyclopedia
In computing
, Download.ject (also known as Toofer and Scob) is a malware
program for Microsoft Windows
servers. When installed on an insecure website running on Microsoft
Internet Information Services
(IIS), it appends malicious JavaScript
to all pages served by the site.
Download.ject was the first noted case in which users of Internet Explorer
for Windows could infect their computers with malware (a backdoor and key logger
) merely by viewing a web page. It came to prominence during a widespread attack starting June 23, 2004. Infected servers included several financial sites. Security consultants prominently started promoting the use of Opera
or Mozilla Firefox
instead of IE in the wake of this attack.
Download.ject is not a virus
or a worm
; it does not spread by itself. The June 23 attack is hypothesised to have been put into place by automatic scanning of servers running IIS.
s placed Download.ject on financial and corporate websites running IIS 5.0 on Windows 2000
, breaking in using a known vulnerability. (A patch
existed for the vulnerability, but many administrators had not applied it.) The attack was first noticed June 23, although some researchers think it may have been in place as early as June 20.
Download.ject appended a fragment of JavaScript to all web pages from the compromised servers. When any page on such a server was viewed with Internet Explorer
(IE) for Windows
, the JavaScript would run, retrieve a copy of one of various backdoor and key logging programs from a server located in Russia and install it on the user's machine, using two holes in IE — one with a patch available, but the other without. These vulnerabilities were present in all versions of IE for Windows except the version included in Windows XP
Service Pack 2, which was only in beta testing at the time.
Both the server and browser flaws had been exploited before this. This attack was notable, however, for combining the two, for having been placed upon popular mainstream websites (although a list of affected sites was not released) and for the network of compromised sites used in the attack reportedly numbering in the thousands, far more than any previous such compromised network.
Microsoft advised users on how to remove an infection and to browse with security settings at maximum. Security experts also advised switching off JavaScript, using a web browser
other than Internet Explorer, using an operating system
other than Windows, or staying off the Internet altogether.
This particular attack was neutralised on June 25 when the server from which Download.ject installed a backdoor was shut down. Microsoft issued a patch for Windows 2000, 2003 and XP on July 2.
Although not a sizable attack compared to email worms of the time, the fact that almost all existing installations of IE — 95% of web browsers in use at the time — were vulnerable, and that this was the latest in a series of IE holes leaving the underlying operating system vulnerable, caused a notable wave of concern in the press. Even some business press started advising users to switch to other browsers, despite that the then-prerelease Windows XP SP2 being invulnerable to the attack.
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, Download.ject (also known as Toofer and Scob) is a malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
program for Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
servers. When installed on an insecure website running on Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Internet Information Services
Internet Information Services
Internet Information Services – formerly called Internet Information Server – is a web server application and set of feature extension modules created by Microsoft for use with Microsoft Windows. It is the most used web server after Apache HTTP Server. IIS 7.5 supports HTTP, HTTPS,...
(IIS), it appends malicious JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
to all pages served by the site.
Download.ject was the first noted case in which users of Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
for Windows could infect their computers with malware (a backdoor and key logger
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
) merely by viewing a web page. It came to prominence during a widespread attack starting June 23, 2004. Infected servers included several financial sites. Security consultants prominently started promoting the use of Opera
Opera (web browser)
Opera is a web browser and Internet suite developed by Opera Software with over 200 million users worldwide. The browser handles common Internet-related tasks such as displaying web sites, sending and receiving e-mail messages, managing contacts, chatting on IRC, downloading files via BitTorrent,...
or Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
instead of IE in the wake of this attack.
Download.ject is not a virus
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
or a worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
; it does not spread by itself. The June 23 attack is hypothesised to have been put into place by automatic scanning of servers running IIS.
Attack of June 23, 2004
HackerHacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
s placed Download.ject on financial and corporate websites running IIS 5.0 on Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, breaking in using a known vulnerability. (A patch
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
existed for the vulnerability, but many administrators had not applied it.) The attack was first noticed June 23, although some researchers think it may have been in place as early as June 20.
Download.ject appended a fragment of JavaScript to all web pages from the compromised servers. When any page on such a server was viewed with Internet Explorer
Internet Explorer
Windows Internet Explorer is a series of graphical web browsers developed by Microsoft and included as part of the Microsoft Windows line of operating systems, starting in 1995. It was first released as part of the add-on package Plus! for Windows 95 that year...
(IE) for Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, the JavaScript would run, retrieve a copy of one of various backdoor and key logging programs from a server located in Russia and install it on the user's machine, using two holes in IE — one with a patch available, but the other without. These vulnerabilities were present in all versions of IE for Windows except the version included in Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
Service Pack 2, which was only in beta testing at the time.
Both the server and browser flaws had been exploited before this. This attack was notable, however, for combining the two, for having been placed upon popular mainstream websites (although a list of affected sites was not released) and for the network of compromised sites used in the attack reportedly numbering in the thousands, far more than any previous such compromised network.
Microsoft advised users on how to remove an infection and to browse with security settings at maximum. Security experts also advised switching off JavaScript, using a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
other than Internet Explorer, using an operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
other than Windows, or staying off the Internet altogether.
This particular attack was neutralised on June 25 when the server from which Download.ject installed a backdoor was shut down. Microsoft issued a patch for Windows 2000, 2003 and XP on July 2.
Although not a sizable attack compared to email worms of the time, the fact that almost all existing installations of IE — 95% of web browsers in use at the time — were vulnerable, and that this was the latest in a series of IE holes leaving the underlying operating system vulnerable, caused a notable wave of concern in the press. Even some business press started advising users to switch to other browsers, despite that the then-prerelease Windows XP SP2 being invulnerable to the attack.
Technical information
- IIS 5 Web Server Compromises (CERT, 24 June 2004)
- Compromised Web Sites Infect Web Surfers (SANS Internet Storm Center, 25 June 2004)
- Berbew/Webber/Padodor Trojan Analysis (LURHQ Threat Intelligence Group, 25 June 2004) — analysis of the backdoor program installed on users' PCs
- What You Should Know About Download.Ject (Microsoft, 24 June 2004)
- Microsoft Statement Regarding Download.Ject Malicious Code Security Issue (Microsoft, 26 June 2004)
- Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732) (Microsoft, 13 April 2004) — patch for server flaw
- MHTML URL Processing Vulnerability (Common Vulnerabilities and Exposures, 5 April 2004) — the IE flaw for which a patch was available at the time
- Internet Explorer Cross-Zone Vulnerability Exploitation (Internet Security Systems, 25 June 2004) — the IE flaw for which no patch was available at the time
- How to disable the ADODB.Stream object from Internet Explorer (Microsoft Knowledge Base article 870669) — the patch for the second IE flaw
Press coverage
- CFCU web site infects Ithaca customers' computers (Mark H. Anbinder, 14850 Today, 24 June 2004)
- Experts studying Internet attack (Associated Press, 24 June 2004)
- Researchers warn of infectious Web sites (Robert Lemos, ZDNet, 24 June 2004)
- Web site virus attack blunted (Robert Lemos, CNet, 25 June 2004)
- Internet Attack Slowing Down (George V. Hulme, Information Week, 25 June 2004)
- Virus Designed to Steal Windows Users' Data: Hundreds of Web Sites Targeted (Brian Krebs, Washington Post, 26 June 2004, page A01)
- IE flaw may boost rival browsers (Robert Lemos and Paul Festa, CNet, 28 June 2004)
- What's the New IE Flaw All About? (Stephen H. Wildstrom, Business Week, 29 June 2004)
- Internet Explorer Is Just Too Risky (Stephen H. Wildstrom, Business Week, 29 June 2004)
- Are the Browser Wars Back?: How Mozilla's Firefox trumps Internet Explorer (Paul Boutin, MSN Slate, 30 June 2004)
- Bruce Schneier: Microsoft still has work to do (Bill Brenner, SearchSecurity.com, 4 October 2004)