http://www.wired.com/news/technology/0,1282,54942,00.html By Brian McWilliams 2:30 p.m. Sep. 4, 2002 PDT Microsoft has issued an unusual warning to Windows users: watch out for a hack attack that could lock you out of your computer and turn it into a launching pad for other attacks. But some security experts said Microsoft's breathless warning provided administrators with little help in sizing up -- or even fending off -- the potential attack. According to a "hacking alert" posted [1] on its website, Microsoft's Product Support Services (PSS) Security Team has detected a "significant spike" in Windows systems compromised by a mysterious attack. Once hit, systems may not allow legitimate users to log on to the network, due to changes made to the systems' security settings, Microsoft said. Marty Lindner of the Computer Emergency Response Team said the federal security clearinghouse had no additional information about the attacks mentioned in Microsoft's bulletin, which he termed "very vague." According to Microsoft, several rogue files may be present on compromised systems, including seced.bat, which changes the security policies in Windows 2000 and Windows XP. If the affected systems are used as domain controllers, users may be locked out of the network. Edward Alfert, an information technology manager in Florida, said several Windows 2000 systems at a customer's site were recently hit by the attackers and configured to run seced.bat at startup. Mark Miller, a security specialist for Microsoft PSS, said the company hasn't determined how attackers were able to place the malicious files on affected systems. He added that compromised systems do not appear to be victims of a self-propagating Internet worm. In its warning, Microsoft noted that antivirus software may not detect some of the attack files, specifically "back door" programs that provide an attacker with remote access to an infected system using Internet relay chat (IRC) networks. Frank Deluca, an information systems manager with a financial services firm in Ohio, discovered several Windows systems apparently infected with the malicious code last week. Deluca said the machines all had a program named taskmngr.exe running at startup. The program, not to be confused with the legitimate Windows task manager utility, taskmgr.exe, attempted to open a connection to an external site using port 6667, which is normally used by IRC servers, Deluca reported. Microsoft's Miller said keystroke loggers have also been found on infected systems. An analysis of taskmngr.exe by malicious code experts at TruSecure Research Group showed it contained a modified version of the popular mIRC chat client. When launched with an initialization file created by the hackers, the program connects the infected computer to an IRC server located at wO0t.nofw.org. Microsoft's bulletin advised affected Windows users to follow CERT's recovery advice [2], which includes reinstalling the system's operating system. Microsoft's PSS Security Team has issued a half-dozen virus warnings this year. Although Microsoft has rededicated itself to improving the security of its products, some security experts found the company's latest hack alert puzzling. "It's easily one of the most unprofessional pieces of crap I've ever read. Vague, indirect, doesn't say anything useful at all," said Harlan Carvey, a security engineer with a financial services firm. [1] http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 [2] http://www.cert.org/tech_tips/root_compromise.html - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 01:03:41 PDT