In
computing
Computing is any goal-oriented activity requiring, benefiting from, or creating computing machinery. It includes the study and experimentation of algorithmic processes, and development of both hardware and software. Computing has scientific, ...
, Download.ject (also known as Toofer and Scob) is a
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
program for
Microsoft Windows servers. When installed on an insecure website running on
Microsoft
Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
Internet Information Services
Internet Information Services (IIS-pronounced 2S, formerly Internet Information Server) is an extensible web server software created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and N ...
(IIS), it appends malicious
JavaScript
JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
to all pages served by the site.
Download.ject was the first noted case in which users of
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
for Windows could infect their computers with malware (a
backdoor
A back door is a door in the rear of a building. Back door may also refer to:
Arts and media
* Back Door (jazz trio), a British group
* Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel.
* Works so titl ...
and
key logger
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
) merely by ''viewing'' a web page. It came to prominence during a widespread attack starting June 23, 2004, when it infected many servers including several that hosted financial sites. Security consultants prominently started promoting the use of
Opera
Opera is a form of theatre in which music is a fundamental component and dramatic roles are taken by singers. Such a "work" (the literal translation of the Italian word "opera") is typically a collaboration between a composer and a libre ...
or
Mozilla Firefox
Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current a ...
instead of IE in the wake of this attack.
Download.ject is not a
virus
A virus is a wikt:submicroscopic, submicroscopic infectious agent that replicates only inside the living Cell (biology), cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and ...
or a
worm
Worms are many different distantly related bilateral animals that typically have a long cylindrical tube-like body, no limbs, and no eyes (though not always).
Worms vary in size from microscopic to over in length for marine polychaete worm ...
; it does not spread by itself. The June 23 attack is hypothesised to have been put into place by automatic scanning of servers running IIS.
Attack of June 23, 2004
Hacker
A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
s placed Download.ject on financial and corporate websites running IIS 5.0 on
Windows 2000
Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was official ...
, breaking in using a known vulnerability. (A
patch
Patch or Patches may refer to:
Arts, entertainment and media
* Patch Johnson, a fictional character from ''Days of Our Lives''
* Patch (''My Little Pony''), a toy
* "Patches" (Dickey Lee song), 1962
* "Patches" (Chairmen of the Board song ...
existed for the vulnerability, but many administrators had not applied it.) The attack was first noticed June 23, although some researchers think it may have been in place as early as June 20.
Download.ject appended a fragment of JavaScript to all web pages from the compromised servers. When any page on such a server was viewed with
Internet Explorer
Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical user interface, graphical web browsers developed by Microsoft which was used in the Microsoft Wind ...
(IE) for
Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
, the JavaScript would run, retrieve a copy of one of various backdoor and key logging programs from a server located in Russia and install it on the user's machine, using two holes in IE — one with a patch available, but the other without. These vulnerabilities were present in all versions of IE for Windows except the version included in
Windows XP
Windows XP is a major release of Microsoft's Windows NT operating system. It was release to manufacturing, released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Wind ...
Service Pack 2,
which was only in beta testing at the time.
Both the server and browser flaws had been exploited before this. This attack was notable, however, for combining the two, for having been placed upon popular mainstream websites (although a list of affected sites was not released) and for the network of compromised sites used in the attack reportedly numbering in the thousands, far more than any previous such compromised network.
Microsoft advised users on how to remove an infection and to browse with security settings at maximum. Security experts also advised switching off JavaScript, using a
web browser
A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
other than Internet Explorer, using an
operating system
An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
other than Windows, or staying off the Internet altogether.
This particular attack was neutralised on June 25 when the server from which Download.ject installed a backdoor was shut down. Microsoft issued a patch for Windows 2000, 2003 and XP on July 2.
Although not a sizable attack compared to email worms of the time, the fact that almost all existing installations of IE — 95% of web browsers in use at the time — were vulnerable, and that this was the latest in a series of IE holes leaving the underlying operating system vulnerable, caused a notable wave of concern in the press. Even some business press started advising users to switch to other browsers, despite the then-prerelease Windows XP SP2 being invulnerable to the attack.
See also
*
Browser wars
A browser war is competition for dominance in the usage share of web browsers. The "first browser war," (1995-2001) pitted Microsoft's Internet Explorer against Netscape's Navigator. Browser wars continued with the decline of Internet Explor ...
References
External links
Technical information
IIS 5 Web Server Compromises(CERT, 24 June 2004)
Compromised Web Sites Infect Web Surfers(SANS Internet Storm Center, 25 June 2004)
(LURHQ Threat Intelligence Group, 25 June 2004) — analysis of the backdoor program installed on users' PCs
What You Should Know About Download.Ject(Microsoft, 24 June 2004)
Microsoft Statement Regarding Download.Ject Malicious Code Security Issue(Microsoft, 26 June 2004)
Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732)(Microsoft, 13 April 2004) — patch for server flaw
MHTML URL Processing Vulnerability(Common Vulnerabilities and Exposures, 5 April 2004) — the IE flaw for which a patch was available at the time
Internet Explorer Cross-Zone Vulnerability Exploitation(Internet Security Systems, 25 June 2004) — the IE flaw for which no patch was available at the time
How to disable the ADODB.Stream object from Internet Explorer(Microsoft Knowledge Base article 870669) — the patch for the second IE flaw
Press coverage
(Mark H. Anbinder, 14850 Today, 24 June 2004)
(Associated Press, 24 June 2004)
(Robert Lemos, ZDNet, 24 June 2004)
(Robert Lemos, CNet, 25 June 2004)
Internet Attack Slowing Down(George V. Hulme, ''Information Week'', 25 June 2004)
(Brian Krebs, ''Washington Post'', 26 June 2004, page A01)
(Robert Lemos and Paul Festa, CNet, 28 June 2004)
(Stephen H. Wildstrom, ''Business Week'', 29 June 2004)
(Stephen H. Wildstrom, ''Business Week'', 29 June 2004)
Are the Browser Wars Back?: How Mozilla's Firefox trumps Internet Explorer(Paul Boutin, MSN ''Slate'', 30 June 2004)
(Bill Brenner, SearchSecurity.com, 4 October 2004)
{{DEFAULTSORT:Download.Ject
Internet Explorer
Windows trojans