IIS 6 (Windows 2003) Servers Infected with the Downadup/Conficker

Symptoms

  Windows Server 2003
Conficker, also known as Downadup, is a piece of malware designed to spread by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). In this regard, all unpatched versions of Windows client and server operating systems are at risk of infection, including Windows 7 and Windows Server 2008 R2. However, the threat is most severe on the precursors of Windows Vista and Windows Server 2008, namely Windows XP and Windows Server 2003. Microsoft has received reports of Windows Server 2003 (Internet Information Services 6) being infected with the malware and Paul Cociuba, from the IIS and ASP.net Support Team, revealed the symptoms that would clue in administrators that IIS 6 has been compromised.

“You start your browser to connect to the ASP.net application but all you receive once you navigate to its address is a 'Service Unavailable' message in your browser. Upon investigation of your Event Viewer Application log, you notice that there are lots of errors logged by ASP.net 2.0 telling you that the Application Domain could not be created,” Cociuba stated. “You start your browser and when you open the page of your ASP.net application you have a message that informs you that the application could not connect to the 'Out Of Process State Server' in ASP.net. Upon investigation you note that the aspnet_state.exe process that hosts the 'Out Of Process State Server' is running and nothing has changed in the configuration of your IIS 6 server,” he added.

Microsoft has already patched the Windows Server service vulnerability, and Cociuba only referred to several cases of IIS 6 servers being infected with Conficker. Microsoft has so far detected two versions of the malware, namely Worm:Win32/Conficker.A and Worm:Win32/Conficker.B. For end users, the Windows Malicious Software Removal Tool is sufficient to detect and remove this specific threat. When it comes down to IIS 6, the process is a tad more complicated.

“You need to manually re-establish the ACLs on these files. For the WindowsShell.manifest, this can be done via the Windows Explorer interface, by selecting the file and editing its properties. In the 'Security; tab grant the following rights: Group: 'Users' should have read and execute rights; Group: 'Power Users' should have read, execute and write rights; User: SYSTEM should have all rights on this file. For the pubpol1.dat, which is found in the .Net Framework GAC (Global Assembly Cache), we cannot change the ACLs via Windows Explorer since the shell of Windows Explorer has been changed to display the contents of this special folder. We have to revert to the command line utility called cacls.exe,” Cociuba explained.

Admins will have to run the following commands: cacls.exe c:\windows\assembly\pobpul1.dat /E /G SYSTEM:F; then cacls.exe c:\windows\assembly\pobpul1.dat /E /G "Power Users":C and cacls.exe c:\windows\assembly\pobpul1.dat /E /G USERS:R.

“Once the modifications in place, you should be able to restart w3wp.exe with no errors being logged from ASP.net or you should be able to restart the 'ASP Net Session State Service' and then connect to the ASP.net application that uses out of process sessions,” Cociuba said.

4 Comments