[ISN] Old Worm Strikes Security Contractor - Report

From: InfoSec News (isnat_private)
Date: Tue Sep 04 2001 - 02:19:05 PDT

  • Next message: InfoSec News: "[ISN] Code Red virus probably began in China, GAO official says"

    By Brian McWilliams, Newsbytes
    01 Sep 2001, 12:34 AM CST
    A Web server operated by Veridian Corporation has been infected with
    the Sadmind Worm, according to a report by a French hacking
    information site.
    In an online article published Monday, Kitetoa.com claimed that it had
    discovered evidence that Veridian's site was compromised by Sadmind, a
    self-propagating worm that replaces the homepage on infected sites
    with a profane, anti-American message in red letters on a black
    Officials from Veridian, a U.S. government contractor that specializes
    in network security management, were not immediately available for
    Kitetoa has published a image of the Veridian defacement at its Web
    site. The page at Veridian's site, http://www.veridian.com/upload/,
    was not viewable today.
    The Sadmind worm, first identified in May, turns vulnerable Sun
    Microsystems servers running the Solaris operating system into robots
    that deface sites running unpatched versions of Microsoft's Internet
    Information Server (IIS) software.
    According to Netcraft.com, Veridian is running Microsoft's IIS version
    5 on Windows 2000.
    Last week, the Defense Intelligence Agency announced that it is
    awarding a contract to Veridian to assist the agency in analyzing
    network intrusions on Department of Defense networks.
    Kitetoa has a penchant for showing up high-profile Internet companies.
    In March this year, Kitetoa discovered that two servers operated by
    online ad giant DoubleClick had been compromised by hackers. In
    response to the Kitetoa report, DoubleClick representatives confirmed
    that attackers had placed a back-door program on the company's server
    at doubleclick.net, and had viewed files on another server at
    A year ago, Kitetoa reported that software maker Bull Groupe's Web
    site had left exposed an internal sales and marketing database
    containing confidential customer information.
    This year, the Sadmind worm has vandalized more Web sites than any
    human hacking group. According to statistics gathered by the
    Safemode.org defacement archive, the worm has infected at least 874
    sites since June. The second most prolific defacer is a crew known as
    BHS, which has racked up 436 defacements since November of last year.
    Once the Sadmind worm has penetrated a Sun machine by exploiting a
    known vulnerability in Solaris, it scans the Internet for Windows NT
    or Windows 2000 systems running IIS. When it finds a system vulnerable
    to the Unicode exploit, the worm defaces the machine's home page.
    Other prominent companies with servers recently infected by the worm
    include Quote.com, Informix Corp. and Upside Media, according to
    Safemode records.
    Veridian Corporation is at: http://www.veridian.com .
    The Kitetoa report on Veridian is at:
    n1.shtml .
    The image of the Veridian defacement is at:
    http://www.kitetoa.com/Images4/Veridian.com/veridian.gif .
    Information on the Sadmind worm can be found here:
    http://www.cert.org/advisories/CA-2001-11.html .
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 04:26:15 PDT