Today s malicious code threat js scob trojan analysis
1 / 20

- PowerPoint PPT Presentation

  • Uploaded on

Today’s Malicious Code Threat ~ JS.Scob.Trojan Analysis. Peter Schawacker, CISSP. Overview. The JS.Scob.Trojan Timeline IE Security Overview How the attacks work Effects Solutions. Scob. AKA Download.Ject JS.Scob.Trojan JS.Toofeer Backdoor.Berbew.F JS.Toofeer . MS04-011? ?. Scob.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about '' - etta

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Today s malicious code threat js scob trojan analysis

Today’s Malicious Code Threat ~JS.Scob.Trojan Analysis

Peter Schawacker, CISSP


  • The JS.Scob.Trojan

  • Timeline

  • IE Security Overview

  • How the attacks work

  • Effects

  • Solutions

Today s malicious code threat js scob trojan analysis

  • AKA

    • Download.Ject

    • JS.Scob.Trojan

    • JS.Toofeer

    • Backdoor.Berbew.F

    • JS.Toofeer

Today s malicious code threat js scob trojan analysis



Internet explorer security
Internet Explorer Security

  • Cross Domain Model

    • Local Machine Zone

    • " implicit zone for content that exists on the local computer. The content found on the user's computer, except for content that Internet Explorer caches on the local system, is treated with a high level of trust."

Timeline adodb stream object bug
Timeline: ADODB.Stream Object Bug

  • FullDisclosure Post August 26, 2003!!

  • IE Bug allows client-side code execution

  • Detailed Analysis


    • Harmless example:

Scob discovered june 24
Scob Discovered June 24

  • The original post is available in the June 24 Internet Storm Center Handlers Diary



  • Trojan horse installation – Scob

  • Purpose of trojan to steal accounts

  • An account is an identity!!

  • First time web servers used since Nimda

Compromised iis servers
Compromised IIS Servers

  • A file is dropped on an IIS Server and subsequently executed to prepare the server. The relevant actions are:

    • File is dropped on IIS Server

    • Create ads.vbs

    • Drop files in C:\winnt\system32\inetsrv/iis###.dll

    • Server configured to use this file as a footer

  • Modify the configuration of the IIS Server such that served web pages are appended by a footer that contains malicious Java code

What scob does
What Scob does

  • Redirects IE to

  • Visitor redirected to a file called new.html

  • Exploit code redirects the visitor to Shellscript_loader.js

  • In turn, downloads and installs msits.exe

    • (ADODB.Stream Object File Installation Weakness vulnerability)

What scob does continued
What Scob does (continued)

  • msits.exe application writes itself to a random executable file in c:/winnt/system32

    • Windows Media Player?

  • Reruns the process from the system directory.

  • Copies two HTML forms, crude login templates and a log file (surf.dat) to the system directory

  • msits.exe attempts to record authentication credentials and their corresponding URLs

  • Quasi-rootkit patches “PhysicalMemory” device

    • Doesn’t appear in Task List

Sites of interest to scob msits exe



Sites of Interest to Scob/msits.exe


  • Set the “Kill Bit” on the ADODB.Stream Object (no patch from MS)

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveXCompatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "CompatibilityFlags"=dword:00000400

  • Make Local Zone/My Computer Zone visible from the Internet Options Security tab

  • Don’t use IE (USCERT) (!!)

Host ips countermeasures iis server
Host IPS Countermeasures (IIS Server)

  • Triggers event “IIS Shielding - File Mod. in System folder”

  • Triggers event “IIS Shielding - Conf. File Activity (ADMCOMConnect)”

Network ips countermeasures iis
Network IPS Countermeasures (IIS)

  • SHELLCODE: Shellcode Exploit Detected for i386 Family CPUs

  • KERBEROS: Microsoft Kerberos ASN.1 Double Free Encoding Error

  • LDAP: Active Directory BO

  • SSL: Invalid Client Hell Cipher Suite Value

  • SSL: Overly Long PCT Client Hello Challenge

  • SSL: Microsoft ASN.1 Double Free Code Execution

  • SSL: PCT THCLame Challenge Buffer Overflow

  • DCERPC: Microsoft Windows LSASS Buffer Overflow

  • DCERPC: Microsoft RPC DCOM Buffer Overflow

  • DCERPC: Microsoft RPCSS Heap Overflow

  • DCERPC: Microsoft Message Queue Service Heap Overflow

  • DCERPC: Microsoft Messenger Service Buffer Overflow

  • DCERPC: Microsoft Workstation Service Buffer Overflow

  • DCERPC: W32/Gaobot.worm Detected

Ips countermeasures ie client
IPS Countermeasures (IE Client)

  • Triggers event "IE Envelope Suspicious Executable Modification”

Anti virus

  • Detected by McAfee VirusScan

    • BackDoor-AXJ.gen

    • VBS/Psyme  

    • Exploit-MhtRedir.gen

    • BackDoor-AXJ.dll

Why is this important
Why is this important?

  • What if your web server is trojaned?

  • What if your desktop is trojaned?

  • Who is doing this?

  • What’s next?

  • What should be done?







  • Peter Schawacker


  • 760-880-4258