Download.ject

Last updated February 13, 2024

In computing, Download.ject (also known as Toofer and Scob) is a malware program for Microsoft Windows servers. When installed on an insecure website running on Microsoft Internet Information Services (IIS), it appends malicious JavaScript to all pages served by the site.

Download.ject was the first noted case in which users of Internet Explorer for Windows could infect their computers with malware (a backdoor and key logger) merely by viewing a web page. It came to prominence during a widespread attack starting June 23, 2004, when it infected many servers including several that hosted financial sites. Security consultants prominently started promoting the use of Opera ^[1] or Mozilla Firefox instead of IE in the wake of this attack.

Download.ject is not a virus or a worm; it does not spread by itself. The June 23 attack is hypothesised to have been put into place by automatic scanning of servers running IIS.

Attack of June 23, 2004

Hackers placed Download.ject on financial and corporate websites running IIS 5.0 on Windows 2000, breaking in using a known vulnerability. (A patch existed for the vulnerability, but many administrators had not applied it.) The attack was first noticed June 23, although some researchers think it may have been in place as early as June 20.

Download.ject appended a fragment of JavaScript to all web pages from the compromised servers. When any page on such a server was viewed with Internet Explorer (IE) for Windows, the JavaScript would run, retrieve a copy of one of various backdoor and key logging programs from a server located in Russia and install it on the user's machine, using two holes in IE — one with a patch available, but the other without. These vulnerabilities were present in all versions of IE for Windows except the version included in Windows XP Service Pack 2,^[2] which was only in beta testing at the time.

Both the server and browser flaws had been exploited before this^{[ citation needed ]}. This attack was notable, however, for combining the two, for having been placed upon popular mainstream websites (although a list of affected sites was not released) and for the network of compromised sites used in the attack reportedly numbering in the thousands, far more than any previous such compromised network.

Microsoft advised users on how to remove an infection and to browse with security settings at maximum. Security experts also advised switching off JavaScript, using a web browser other than Internet Explorer, using an operating system other than Windows, or staying off the Internet altogether.

This particular attack was neutralised on June 25 when the server from which Download.ject installed a backdoor was shut down. Microsoft issued a patch for Windows 2000, 2003 and XP on July 2.

Although not a sizable attack compared to email worms of the time, the fact that almost all existing installations of IE — 95% of web browsers in use at the time — were vulnerable, and that this was the latest in a series of IE holes leaving the underlying operating system vulnerable, caused a notable wave of concern in the press. Even some business press started advising users to switch to other browsers, despite the then-prerelease Windows XP SP2 being invulnerable to the attack.

Related Research Articles

Internet Explorer is a retired series of graphical web browsers developed by Microsoft that were used in the Windows line of operating systems. While IE has been discontinued on most Windows editions, it remains supported on certain editions of Windows, such as Windows 10 LTSB/LTSC. Starting in 1995, it was first released as part of the add-on package Plus! for Windows 95 that year. Later versions were available as free downloads or in-service packs and included in the original equipment manufacturer (OEM) service releases of Windows 95 and later versions of Windows. Microsoft spent over US$100 million per year on Internet Explorer in the late 1990s, with over 1,000 people involved in the project by 1999. New feature development for the browser was discontinued in 2016 and ended support on June 15, 2022 for Windows 10 Semi-Annual Channel (SAC), in favor of its successor, Microsoft Edge.

Windows XP is a major release of Microsoft's Windows NT operating system. It was released to manufacturing on August 24, 2001, and later to retail on October 25, 2001. It is a direct upgrade to its predecessors, Windows 2000 for high-end and business users and Windows Me for home users, and is available for any devices running Windows NT 4.0, Windows 98, Windows 2000, or Windows Me that meet the new Windows XP system requirements.

Internet Information Services is an extensible web server created by Microsoft for use with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. It has been an integral part of the Windows NT family since Windows NT 4.0, though it may be absent from some editions, and is not active by default.

Windows Update is a Microsoft service for the Windows 9x and Windows NT families of the Microsoft Windows operating system, which automates downloading and installing Microsoft Windows software updates over the Internet. The service delivers software updates for Windows, as well as the various Microsoft antivirus products, including Windows Defender and Microsoft Security Essentials. Since its inception, Microsoft has introduced two extensions of the service: Microsoft Update and Windows Update for Business. The former expands the core service to include other Microsoft products, such as Microsoft Office and Microsoft Expression Studio. The latter is available to business editions of Windows 10 and permits postponing updates or receiving updates only after they have undergone rigorous testing.

Windows Internet Explorer 7 (IE7) is a web browser for Windows. It was released by Microsoft on October 18, 2006, as the seventh version of Internet Explorer and the successor to Internet Explorer 6. Internet Explorer 7 is part of a long line of versions of Internet Explorer and was the first major update to the browser since 2001. It was the default browser in Windows Vista and Windows Server 2008, as well as Windows Embedded POSReady 2009, and can replace Internet Explorer 6 on Windows XP and Windows Server 2003, but unlike version 6, this version does not support Windows 2000, Windows ME, or earlier versions of Windows. It also does not support Windows 7, Windows Server 2008 R2 or later Windows Versions.

<span class="mw-page-title-main">History of Internet Explorer</span>

Microsoft developed 11 versions of Internet Explorer for Windows from 1995 to 2013. Microsoft also developed Internet Explorer for Mac, Internet Explorer for UNIX, and Internet Explorer Mobile respectively for Apple Macintosh, Unix, and mobile devices; the first two are discontinued but the latter runs on Windows CE, Windows Mobile, and Windows Phone.

Microsoft Internet Explorer 6 (IE6) is a graphical web browser developed by Microsoft for Windows operating systems. Released on August 24, 2001, it is the sixth, and by now discontinued, version of Internet Explorer and the successor to Internet Explorer 5. It was the default browser in Windows XP and Windows Server 2003 and can replace previous versions of Internet Explorer on Windows NT 4.0, Windows 98, Windows 2000 and Windows ME but unlike version 5, this version does not support Windows 95 or earlier versions. IE6 SP2+ and IE7 were only included in or available (IE7) for Windows XP SP2+.

Microsoft Internet Explorer 3 (IE3) is the third, and by now, discontinued, version of the Internet Explorer graphical web browser which was announced in March 1996, and was released on August 13, 1996 by Microsoft for Microsoft Windows and on January 8, 1997 for Apple Mac OS. It began serious competition against Netscape Navigator in the first Browser war. It was Microsoft's first browser release with a major internal development component. It was the first more widely used version of Internet Explorer, although it did not surpass Netscape or become the browser with the most market share. During its tenure, IE market share went from roughly 3–9% in early 1996 to 20–30% by the end of 1997. In September 1997 it was superseded by Microsoft Internet Explorer 4.

Patch Tuesday is an unofficial term used to refer to when Microsoft, Adobe, Oracle and others regularly release software patches for their software products. It is widely referred to in this way by the industry. Microsoft formalized Patch Tuesday in October 2003. Patch Tuesday is known within Microsoft also as the "B" release, to distinguish it from the "C" and "D" releases that occur in the third and fourth weeks of the month, respectively.

HoneyMonkey, short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers to crawl the World Wide Web searching for websites that use browser exploits to install malware on the HoneyMonkey computer. A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. After visiting the site, the state of memory, executables, and registry is recorded and compared to the previous snapshot. The changes are analyzed to determine if the visited site installed any malware onto the client honeypot computer.

The Nimda virus is a malicious file-infecting computer worm. It quickly spread, surpassing the economic damage caused by previous outbreaks such as Code Red.

The Windows Metafile vulnerability—also called the Metafile Image Code Execution and abbreviated MICE—is a security vulnerability in the way some versions of the Microsoft Windows operating system handled images in the Windows Metafile format. It permits arbitrary code to be executed on affected computers without the permission of their users. It was discovered on December 27, 2005, and the first reports of affected computers were announced within 24 hours. Microsoft released a high-priority update to eliminate this vulnerability via Windows Update on January 5, 2006. Attacks using this vulnerability are known as WMF exploits.

Bifrost is a backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10. Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine.

Criticism of Windows XP deals with issues with security, performance and the presence of product activation errors that are specific to the Microsoft operating system Windows XP.

Windows Internet Explorer 8 (IE8) is the eighth and, by now, discontinued version of the Internet Explorer web browser for Windows. It was released by Microsoft on March 19, 2009, as the successor to Internet Explorer 7. It was the default browser in Windows 7 and Windows Server 2008 R2.

The various versions of Microsoft's desktop operating system, Windows, have received various criticisms since Microsoft's inception.

This is the version history of Internet Explorer.

Internet Explorer 11 (IE11) is the eleventh and final version of the Internet Explorer web browser. It was initially included in the release of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013, and was later released for Windows 7 and Windows Server 2008 R2 on November 7, 2013. It is the successor to Internet Explorer 10, released the previous year, and was the original, default browser in Windows 8.1 and Windows Server 2012 R2, before Microsoft Edge was introduced. Internet Explorer 11 was also included in the release of Windows 10 on July 29, 2015, as well as in Windows Server 2016 and Windows Server 2019. On April 16, 2019, Internet Explorer 11 was made available to Windows Server 2012 and Windows Embedded 8 Standard, the only still supported edition of Windows 8 as the final expansion of Internet Explorer 11 availability. Internet Explorer 11, like its predecessor, is not available for Windows Vista, Windows Server 2008 and earlier versions of Windows and Windows Server.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

BlueKeep is a security vulnerability that was discovered in Microsoft's Remote Desktop Protocol (RDP) implementation, which allows for the possibility of remote code execution.

References

↑ Brenner, Bill (October 4, 2004). "Schneier: Microsoft still has work to do". Schneier on Security. Archived from the original on 2004-10-10. Retrieved 2007-01-08.
↑ "Changes to Functionality in Microsoft Windows XP Service Pack 2: Enhanced Browsing Security". Microsoft . March 22, 2004. Archived from the original on 2004-04-30.

External links

Technical information

IIS 5 Web Server Compromises (CERT, 24 June 2004)
Compromised Web Sites Infect Web Surfers (SANS Internet Storm Center, 25 June 2004)
Berbew/Webber/Padodor Trojan Analysis (LURHQ Threat Intelligence Group, 25 June 2004) — analysis of the backdoor program installed on users' PCs
What You Should Know About Download.Ject (Microsoft, 24 June 2004)
Microsoft Statement Regarding Download.Ject Malicious Code Security Issue (Microsoft, 26 June 2004)
Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732) (Microsoft, 13 April 2004) — patch for server flaw
MHTML URL Processing Vulnerability (Common Vulnerabilities and Exposures, 5 April 2004) — the IE flaw for which a patch was available at the time
Internet Explorer Cross-Zone Vulnerability Exploitation (Internet Security Systems, 25 June 2004) — the IE flaw for which no patch was available at the time
How to disable the ADODB.Stream object from Internet Explorer (Microsoft Knowledge Base article 870669) — the patch for the second IE flaw

Press coverage

CFCU web site infects Ithaca customers' computers (Mark H. Anbinder, 14850 Today, 24 June 2004)
Experts studying Internet attack (Associated Press, 24 June 2004)
Researchers warn of infectious Web sites (Robert Lemos, ZDNet, 24 June 2004)
Web site virus attack blunted (Robert Lemos, CNet, 25 June 2004)
Internet Attack Slowing Down (George V. Hulme, Information Week, 25 June 2004)
Virus Designed to Steal Windows Users' Data: Hundreds of Web Sites Targeted (Brian Krebs, Washington Post, 26 June 2004, page A01)
IE flaw may boost rival browsers (Robert Lemos and Paul Festa, CNet, 28 June 2004)
What's the New IE Flaw All About? (Stephen H. Wildstrom, Business Week, 29 June 2004)
Internet Explorer Is Just Too Risky (Stephen H. Wildstrom, Business Week, 29 June 2004)
Are the Browser Wars Back?: How Mozilla's Firefox trumps Internet Explorer (Paul Boutin, MSN Slate, 30 June 2004)
Bruce Schneier: Microsoft still has work to do Archived 2006-08-20 at the Wayback Machine (Bill Brenner, SearchSecurity.com, 4 October 2004)

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[schneieropera-1] Brenner, Bill (October 4, 2004). "Schneier: Microsoft still has work to do". Schneier on Security. Archived from the original on 2004-10-10. Retrieved 2007-01-08.

[2] "Changes to Functionality in Microsoft Windows XP Service Pack 2: Enhanced Browsing Security". Microsoft . March 22, 2004. Archived from the original on 2004-04-30.

[1]

[2]