Last week a mysterious new threat was discovered. Called Download.Ject by Microsoft and dubbed the Scob Trojan by antivirus vendors, this new malware was planted on web servers of popular and well-known web sites. It was later discovered that Windows 2000 servers running Internet Information Server (IIS) 5.0 that have not had the MS04-011 patch applied are vulnerable to having malicious code injected onto their web pages.
When users with Internet Explorer visit a web page from a compromised server the two vulnerabilities from earlier in June are exploited to redirect them to a Russian web site and plant a Trojan program on their computer designed to steal sensitive and confidential information such as usernames, passwords, account numbers and credit card numbers.
Reports of the scope of the threat vary. Authorities have kept the names of the affected sites secret thus far and reports of the number of impacted sites vary from less than 10 to dozens all the way up to around 100. The total number of affected web sites seems low, but hints from authorities suggest that some of those sites may have been very popular, possibly even in the top 50 sites worldwide.
The web site that this threat directed users to and where financial data was transferred to has been taken offline, but some security experts fear that the attackers could update the attack with new web server information or that copycat attackers could spring up as long as the vulnerabilities exist.
Web administrators are urged to apply the MS04-011 patch to all IIS 5.0 systems running on Windows 2000. Users of Internet Explorer are being directed by Microsoft to elevate their security settings to the highest level and / or disable active scripting. They have also reiterated that users should stay current with security patches, although that is irrelevant in this case since they haven't actually issued a patch for either of the vulnerabilities being exploited. Microsoft reports that users who have installed release candidate 2 of the Windows XP service pack 2 are not vulnerable to these attacks.
I am not part of the anti-Microsoft bandwagon and don't generally profess abandoning Microsoft products, but other alternatives exist for both web administrators and users. Web administrators can run different web server technology such as the venerable Apache which is available for Windows, or if you really want to get away from Microsoft products you can use it on a Linux server instead.
Users can switch to non-Microsoft web browsers such as Netscape or Opera. Mozilla has a newer web browser available dubbed Firefox which strips off some of the extraneous pieces of Mozilla such as email or news reading and provides just the web browser.
Switching to any of these products will protect you from these particular vulnerabilities and threats, however I caution anyone from having a false sense of security by switching away from Microsoft products. Vulnerabilities are found and patches discovered in virtually all software and no matter what you use it is your responsibility to stay informed about new vulnerabilities and ensure that your network and computers are protected.