Microsoft has released a tool that removes the trojan used by Download.Ject

In case you need a way to clean up after getting hit by the Download.Ject exploit…

Download.Ject malware removal tool released

Microsoft has learned of a Trojan program that is downloaded by the Download.Ject malware, also known as Scob, to client machines from infected IIS servers. When a user visits a Web site hosted on an IIS server that is infected with Download.Ject, the Web pages downloaded to the user’s system contain an additional JavaScript program that downloads another Trojan program to the user’s system. This second Trojan is called Backdoor:W32/Berbew, also known as Backdoor-AXJ, Webber, or Padodor. When this second Trojan runs on the user’s machine, it performs several actions, including:

  – Monitoring Internet access. When the user visits one of several financial or ISP Web sites, the Trojan captures sensitive information—such as log-in names, passwords, and so on—and sends it to a Web server for the Trojan’s author to retrieve.   Installing a proxy server that allows the user’s system to be used as a relay for such actions as sending spam.  Opening fake dialog boxes that prompt the user to enter confidential information such as ATM card codes, credit card numbers, and so on. This information is then sent to a Web server for the Trojan’s author to retrieve.

 Microsoft has released a tool to help you remove Backdoor:W32/Berbew Trojan variants from your computer. You can download this tool from the Microsoft Download Center and run it on your computer to remove Backdoor:W32/Berbew.A, Backdoor:W32/Berbew.B, Backdoor:W32/Berbew.C, and Backdoor:W32/Berbew.D, Backdoor:W32/Berbew.E, Backdoor:W32/Berbew.F, Backdoor:W32/Berbew.G and Backdoor:W32/Berbew.H infections.

This tool is discussed in Microsoft Knowledge Base article 873018. This KB can be found here:

Use it in good health.

RegEx as a way to better data validation

Someone recently sent me a link to an MSDN article about 10 must have tools.  While looking it over I saw The Regulator listed and started thinking about validation of client data.

Everyone has by now heard that you must validate your data from a client before you act on it, but what does that mean.  It doesn’t mean that you just put a maximum length on your input box in your HTML and call it done.  That is no security at all.  Instead you have to do server side checks against what you expected to recieve from the client.  If you then want to go the extra measure and strip out dangerous characters after that then enjoy!  You can’t catch everything with this latter approach.  Take this example.  Suppose you have a page that takes a value and uses it in the where clause of a dynamic SQL Statement (you shouldn’t of course, but people still do).  Now you want to avoid SQL Injection and for some reason have ruled out parameterized queries using ADO.Net.  Given this classic SQL Injection vulnerable scenario, suppose you are trying to defend against the string like: ‘ OR 1=1 –

Single quotes are easy to strip out and in some cases you can even look for the OR as a literal string.  Suppose further that you have a field that asks for age and uses that to execute our dynamic SQL query.  The shrewd (or maybe just lucky) hacker can put in: O’R 1=1 –

Now this won’t destroy your server, but I am trying to prove a point, not educate hackers.  If your home grown script to kill SQL Injection like characters checks for the literal OR it will find that it isn’t present.  The single quote defeats that check, but it also breaks the OR.  If your next move is to strip out single quotes then your own defenses fix the hacker’s statement.  Also since the datatype of the field isn’t text, I don’t need the single quote anyways, that was just a way to put in a character to hide my OR and that you will strip out for me.  This can be done in billions of ways depending on your order of operations.  What this proves is what Erik Olsen of Microsoft has said in the past and I agree with totally, namely, YOU CAN’T ENSURE SOMETHING ISN’T WHAT YOU WANT, ONLY THAT IT IS WHAT YOU WANT.  If I expect an zip code from inside the United States then I check that the value is 5 characters, all of them digits.  Done, I know it is what I expected and can now move on.  If you have to strip something bad out of user data then maybe you shouldn’t strip it out, but instead should reject the request completely?

If any of this sounds reasonable then you really have to get going on your RegEx skills and that brings us back to the utilities list.  Try The Regulator, find something else, write your own or just learn the RegEx syntax.

Fix available for Download.Ject attack…

Microsoft has released a Knowledge Base article, 870669, that describes how to implement a change manually that will disable the browser’s capability to leverage the ADODB.Stream object.

This could be a painful fix for many organizations as you may be using that object for certain file based Intranet applications.  Best thing to do is test the fix and see if anything you care about breaks.  Then you can roll it out.  There are steps at the bottom of the article that describe undoing the change, but this is a nasty exploit (manages to steal passwords and the like) so I wouldn’t wait long before paying some attention to it.