Incomputing,Download.ject (also known asToofer andScob) is amalware program forMicrosoft Windows servers. When installed on an insecure website running onMicrosoftInternet Information Services (IIS), it appends maliciousJavaScript to all pages served by the site.

Download.ject was the first noted case in which users ofInternet Explorer for Windows could infect their computers with malware (abackdoor andkey logger) merely byviewing a web page. It came to prominence during a widespread attack starting June 23, 2004, when it infected many servers including several that hosted financial sites. Security consultants prominently started promoting the use ofOpera^[1] orMozilla Firefox instead of IE in the wake of this attack.

Download.ject is not avirus or aworm; it does not spread by itself. The June 23 attack is hypothesised to have been put into place by automatic scanning of servers running IIS.

Hackers placed Download.ject on financial and corporate websites running IIS 5.0 onWindows 2000, breaking in using a known vulnerability. (Apatch existed for the vulnerability, but many administrators had not applied it.) The attack was first noticed June 23, although some researchers think it may have been in place as early as June 20.

Download.ject appended a fragment of JavaScript to all web pages from the compromised servers. When any page on such a server was viewed withInternet Explorer (IE) forWindows, the JavaScript would run, retrieve a copy of one of various backdoor and key logging programs from a server located in Russia and install it on the user's machine, using two holes in IE — one with a patch available, but the other without. These vulnerabilities were present in all versions of IE for Windows except the version included inWindows XP Service Pack 2,^[2] which was only in beta testing at the time.

Both the server and browser flaws had been exploited before this.^{[citation needed]} This attack was notable, however, for combining the two, for having been placed upon popular mainstream websites (although a list of affected sites was not released) and for the network of compromised sites used in the attack reportedly numbering in the thousands, far more than any previous such compromised network.

Microsoft advised users on how to remove an infection and to browse with security settings at maximum. Security experts also advised switching off JavaScript, using aweb browser other than Internet Explorer, using anoperating system other than Windows, or staying off the Internet altogether.

This particular attack was neutralised on June 25 when the server from which Download.ject installed a backdoor was shut down. Microsoft issued a patch for Windows 2000, 2003 and XP on July 2.

Although not a sizable attack compared to email worms of the time, the fact that almost all existing installations of IE — 95% of web browsers in use at the time — were vulnerable, and that this was the latest in a series of IE holes leaving the underlying operating system vulnerable, caused a notable wave of concern in the press. Even some business press started advising users to switch to other browsers, despite the then-prerelease Windows XP SP2 being invulnerable to the attack.

• Browser wars

• IIS 5 Web Server Compromises (CERT, 24 June 2004)
• Compromised Web Sites Infect Web Surfers (SANS Internet Storm Center, 25 June 2004)
• Berbew/Webber/Padodor Trojan Analysis (LURHQ Threat Intelligence Group, 25 June 2004) — analysis of the backdoor program installed on users' PCs
• What You Should Know About Download.Ject (Microsoft, 24 June 2004)
• Microsoft Statement Regarding Download.Ject Malicious Code Security Issue (Microsoft, 26 June 2004)
• Microsoft Security Bulletin MS04-011: Security Update for Microsoft Windows (835732) (Microsoft, 13 April 2004) — patch for server flaw
• MHTML URL Processing Vulnerability (Common Vulnerabilities and Exposures, 5 April 2004) — the IE flaw for which a patch was available at the time
• Internet Explorer Cross-Zone Vulnerability Exploitation (Internet Security Systems, 25 June 2004) — the IE flaw for which no patch was available at the time
• How to disable the ADODB.Stream object from Internet Explorer (Microsoft Knowledge Base article 870669) — the patch for the second IE flaw

• CFCU web site infects Ithaca customers' computers (Mark H. Anbinder, 14850 Today, 24 June 2004)
• Experts studying Internet attack (Associated Press, 24 June 2004)
• Researchers warn of infectious Web sites (Robert Lemos, ZDNet, 24 June 2004)
• Web site virus attack blunted (Robert Lemos, CNet, 25 June 2004)
• Internet Attack Slowing Down (George V. Hulme,Information Week, 25 June 2004)
• Virus Designed to Steal Windows Users' Data: Hundreds of Web Sites Targeted (Brian Krebs,Washington Post, 26 June 2004, page A01)
• IE flaw may boost rival browsers (Robert Lemos and Paul Festa, CNet, 28 June 2004)
• What's the New IE Flaw All About? (Stephen H. Wildstrom,Business Week, 29 June 2004)
• Internet Explorer Is Just Too Risky (Stephen H. Wildstrom,Business Week, 29 June 2004)
• Are the Browser Wars Back?: How Mozilla's Firefox trumps Internet Explorer (Paul Boutin, MSNSlate, 30 June 2004)
• Bruce Schneier: Microsoft still has work to doArchived 2006-08-20 at theWayback Machine (Bill Brenner, SearchSecurity.com, 4 October 2004)

• Internet Explorer
• Windows trojans

• Articles with short description
• Short description matches Wikidata
• All articles with unsourced statements
• Articles with unsourced statements from October 2021
• Webarchive template wayback links