[ISN] Alert: Windows May Deny Users

From: InfoSec News (isnat_private)
Date: Wed Sep 04 2002 - 22:41:04 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, September 4, 2002"

    By Brian McWilliams 
    2:30 p.m. Sep. 4, 2002 PDT 
    Microsoft has issued an unusual warning to Windows users: watch out 
    for a hack attack that could lock you out of your computer and turn it 
    into a launching pad for other attacks. 
    But some security experts said Microsoft's breathless warning provided 
    administrators with little help in sizing up -- or even fending off -- 
    the potential attack. 
    According to a "hacking alert" posted [1] on its website, Microsoft's
    Product Support Services (PSS) Security Team has detected a
    "significant spike" in Windows systems compromised by a mysterious
    Once hit, systems may not allow legitimate users to log on to the 
    network, due to changes made to the systems' security settings, 
    Microsoft said. 
    Marty Lindner of the Computer Emergency Response Team said the federal 
    security clearinghouse had no additional information about the attacks 
    mentioned in Microsoft's bulletin, which he termed "very vague." 
    According to Microsoft, several rogue files may be present on 
    compromised systems, including seced.bat, which changes the security 
    policies in Windows 2000 and Windows XP. If the affected systems are 
    used as domain controllers, users may be locked out of the network. 
    Edward Alfert, an information technology manager in Florida, said 
    several Windows 2000 systems at a customer's site were recently hit by 
    the attackers and configured to run seced.bat at startup. 
    Mark Miller, a security specialist for Microsoft PSS, said the company 
    hasn't determined how attackers were able to place the malicious files 
    on affected systems. He added that compromised systems do not appear 
    to be victims of a self-propagating Internet worm. 
    In its warning, Microsoft noted that antivirus software may not detect 
    some of the attack files, specifically "back door" programs that 
    provide an attacker with remote access to an infected system using 
    Internet relay chat (IRC) networks. 
    Frank Deluca, an information systems manager with a financial services 
    firm in Ohio, discovered several Windows systems apparently infected 
    with the malicious code last week. Deluca said the machines all had a 
    program named taskmngr.exe running at startup. 
    The program, not to be confused with the legitimate Windows task 
    manager utility, taskmgr.exe, attempted to open a connection to an 
    external site using port 6667, which is normally used by IRC servers, 
    Deluca reported. 
    Microsoft's Miller said keystroke loggers have also been found on 
    infected systems. 
    An analysis of taskmngr.exe by malicious code experts at TruSecure 
    Research Group showed it contained a modified version of the popular 
    mIRC chat client. When launched with an initialization file created by 
    the hackers, the program connects the infected computer to an IRC 
    server located at wO0t.nofw.org. 
    Microsoft's bulletin advised affected Windows users to follow CERT's
    recovery advice [2], which includes reinstalling the system's
    operating system.
    Microsoft's PSS Security Team has issued a half-dozen virus warnings 
    this year. Although Microsoft has rededicated itself to improving the 
    security of its products, some security experts found the company's 
    latest hack alert puzzling. 
    "It's easily one of the most unprofessional pieces of crap I've ever 
    read. Vague, indirect, doesn't say anything useful at all," said 
    Harlan Carvey, a security engineer with a financial services firm. 
    [1] http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
    [2] http://www.cert.org/tech_tips/root_compromise.html
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 01:03:41 PDT