Hacker Struck Army Servers Via Unknown Software Flaw Tues
18 Mar 08:48
By Riva Richmond
Of DOW JONES NEWSWIRES
(This item was first published Monday night.)
NEW YORK (Dow Jones)--At least two U.S. Army Web servers were attacked last
Tuesday by a hacker or hacker group exploiting a previously unknown programming
flaw in Microsoft Corp.'s (MSFT) Windows 2000 software, according to
security-services company TruSecure Corp.
TruSecure discovered the attack Tuesday while conducting routine intelligence
gathering on the hacker community, said Russ Cooper, TruSecure's surgeon
general. The private Reston, Va., firm kept the information confidential until
Microsoft could provide customers with a fix for the flaw, which it did Monday.
"Everything indicates that only Army sites were attacked," Cooper said.
Though the attack appeared to be targeted, he had no evidence it was the work
of terrorists or a foreign government.
Iain Mulholland, security program manager at the Microsoft Security Response
Center said a customer, which he declined to name, informed Microsoft Wednesday
evening of an attack affecting IIS servers. The company has only received
"isolated" attack reports, and law enforcement has launched an investigation,
he said.
An Army spokesman couldn't immediately comment on the matter.
Microsoft posted a "critical" security alert on its Web site
(www.microsoft.com/security) Monday, as well as a patch for the flaw and advice
on several temporary workarounds for customers who cannot immediately apply the
patch.
Concern at Microsoft and Internet-security firms runs high because the attack
targeted what was an unknown flaw, a phenomenon security experts call a
"zero-day attack." Such attacks are rare and suggest a potentially short window
of time until an automated worm could be developed to quickly cripple millions
of machines.
"Zero-days are really, really bad," TruSecure's Cooper said. "It's very
likely an en masse exploitation is going to occur, in my opinion," and perhaps
in as little as seven to ten days. Worms that follow the revelation of a flaw
typically don't emerge for at least three to four weeks, he said.
The software flaw the hacker exploited was an unchecked buffer, or memory
area, in the Windows component of WebDAV, an extension to the HTTP protocol
that allows users in different locations to work together on the development of
Web content.
By using WebDAV to flood the memory area with an extra-long Web address, or
URL, the attacker was able to execute a program that gave him full control over
IIS 5.0 servers, including the ability to infiltrate other computers on its
network, plant backdoors and run any programs of his choice.
TruSecure's Cooper said the hacker that infiltrated the Army servers was
mapping the network "to see where else to go" when he was discovered. He was
also sending server data out through port TCP 3389, which carries a lot of
encrypted traffic, making it a good place to hide, Cooper said.
Internet Security Systems Inc. (ISSX) may have provided the army's
intrusion-detection software. Chris Rouland, director of its research arm,
X-Force, said a customer it wouldn't name was affected. Rouland said the
software detected the attack using protocol anomaly technology that took note
of unusually long Web addresses, which stretched to nearly 50,000 characters.
Rouland also said his company had no information suggesting the attack was an
event of cyberterror or cyberwar.
Companies who aren't immediately able to apply Microsoft's patch are urged by
Microsoft, TruSecure and Internet Security Systems to immediately disable
WebDAV if they don't need it. Customers can also download a tool from Microsoft
called URLScan that will reject URLs that are unusually long. Furthermore,
users can use Microsoft's IIS Lockdown tool to upgrade the security of their
Web servers.
-By Riva Richmond, Dow Jones Newswires; 201-938-5670;
riva.richmond@dowjones.com
(END) Dow Jones Newswires
03-18-03 0848ET |
