IIS Server Malware is Phishing Scam

The malicious code downloaded from compromised IIS servers onto users' machines includes a trojan that records keystrokes in an attempt to steal e-commerce login information, according to a detailed analysis by LURHQ. The trojan attempts to capture eBay and Paypal passwords and send them to third parties "through the use of hidden IE windows using HTML forms and Javascript to autosubmit," according to LURHQ.

Microsoft says the exploit affected servers running Windows 2000 and IIS 5.0 server that are not fully patched against a bevy of security holes detailed in April, known collectively as MS04-011. The initial version of the patch included bugs that crashed Win2K systems. Microsoft posted a web page confirming the IIS issue and referring system admins to a knowledgebase article detaling the workarounds and fixes available for affected Win2K machines.

Internet users wanting to avoid potentially vulnerable sites can use Netcraft's What's That Site Running feature to determine a site's operating system and web server version.

There are still conflicting reports about the extent of the problem, and exactly which sites may have been spreading malware to their users. LURHQ says it has seen "a relatively small number of sites reporting the infections of IIS servers," while SANS reports that the compromised affected "a large number of web sites, some of them quite popular."

Any e-commerce sites that installed keylogging software on their users' machines would appear to have a major headache, having served as the unwitting agent for exposing customers to the potential theft of personal information. There are potentially serious ramifications for Microsoft as well, since the exploit used to spread the trojan appears to have infected end users with fully-patched web browsers. Several accounts suggest some compromised IIS servers were also fully patched. While Microsoft is noting the availability of hotfixes and workarounds, the flawed MS04-011 patch for Win2K figures to be a point of contention as the security community conducts a damage assessment and post-mortem.