[ISN] Netscape Sees Red As FBI Warns Of New Attack

From: InfoSec News (isnat_private)
Date: Fri Aug 17 2001 - 01:30:58 PDT

  • Next message: InfoSec News: "[ISN] Newsbytes hack tries to embarrass The Register"

    By Brian McWilliams, Newsbytes
    17 Aug 2001, 12:14 AM CST
    A minimum of eight servers operated by America Online's Netscape
    Communications division have been infected with the Code Red worm,
    according to independent intrusion monitoring services.
    The compromised systems, all with Internet addresses registered to
    Netscape, have probed dozens of healthy computers nearby in the past
    few days, in an attempt to spread the Code Red infection.
    At least six of the Netscape systems were still infected today. None
    of the machines responded to connection requests. Service to
    Netscape's homepage and other online services appeared unaffected by
    the malicious, self-propagating worm, as did the Internet properties
    of its parent, AOL.
    Netscape officials did not reply to interview requests.
    The infiltration of Netscape's network by Code Red comes as the
    Federal Bureau of Investigation issued a caution today about the
    original version of the worm. According to the FBI, Code Red I will
    commence a second denial of service attack against an IP address
    assigned to the Web site operated by the White House at 8:00 p.m.
    Eastern, Sunday August 19.
    Log file entries created by at least one of the infected Netscape
    servers indicate the machine has been compromised by the latest, more
    dangerous variant of the worm, known as Code Red II, according to Jay
    Dyson, an independent security consultant.
    Using Early Bird, an automated intrusion detection system he
    developed, Dyson was first to observe the compromise of Netscape's
    network and report it to the company Thursday. According to Dyson, he
    received no response to his e-mail to Netscape.
    Many of the worms' probes were recorded by system administrators who
    participate in MyNetWatchman, a free service that compiles firewall
    log files from computer operators and automatically escalates serious
    intrusions to the proper authorities.
    Code Red II, and its predecessor, Code Red I, both target vulnerable
    Windows systems running Microsoft's Internet Information Server (IIS)
    It was not immediately clear why Netscape, which develops its own
    suite of Web server software, Netscape iPlanet, was running
    Microsoft's IIS product. Nor was it apparent what task the infected
    servers were originally intended to perform. In addition to a
    high-traffic Web portal, Netscape operates numerous servers for
    downloading iPlanet components, as well as its Navigator browser and
    Communicator messaging software products. Netscape competes intensely
    against Microsoft offerings in each of those services and product
    Earlier this month, Microsoft battled a Code Red infection of its own
    which compromised an undisclosed number of computers supporting the
    company's MSN Hotmail, a free Web-based e-mail service.
    While Code Red I was designed primarily to deface Web pages and launch
    a denial of service attack on the White House, Code Red II does not
    deface the home page of a target system. Instead, the newer worm
    secretly creates what security experts call a "back door" on the
    infected server, enabling the worm's author or any other attacker to
    remotely take complete control of the machine.
    Systems infected with both variants of Code Red automatically attempt
    to spread the malicious program by probing other Internet servers to
    determine if they are exposed to a security flaw discovered in June.
    As they scan other systems, the worms leave a unique fingerprint in
    the Web logs maintained by most servers.
    By compiling log files from numerous system administrators, services
    such as MyNetWatchman can help to quickly identify outbreaks of
    Internet infections.
    Microsoft released a patch for the vulnerability exploited by the
    worm, a bug known as the IDA flaw, on June 18. But hundreds of
    thousands of administrators of IIS servers failed to install it five
    weeks later, when Code Red I began to spread virulently. At its peak,
    the original worm burrowed into at least a quarter million IIS
    machines; Code Red II quickly infected approximately 150,000 Microsoft
    servers, according to the Computer Emergency Response Team (CERT), a
    federally funded security clearinghouse at Carnegie-Mellon University.
    Statistics compiled by Incidents.org, an intrusion reporting service
    operated by the SANS Institute, indicate that machines at more than
    75,000 unique Internet protocol (IP) addresses are still infected with
    some form of Code Red today and actively probing other systems.
    According to the FBI's National Infrastructure Protection Center
    (NPIC), the threat posed by the upcoming attack is "significantly
    reduced," due in part to a reduction in the number of systems infected
    with Code Red I.
    Last month, White House system administrators dodged the first denial
    of service attack by disabling the IP address targeted by the worm and
    moving the site to a different address.
    Netscape Communications is at http://www.netscape.com
    MyNetWatchman is at http://www.mynetwatchman.com
    Early Bird is available at http://www.treachery.net/~jdyson/earlybird/
    The NIPC warning is online at
    Reported by Newsbytes, http://www.newsbytes.com 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 07:19:11 PDT