[ISN] Microsoft "solves" hacking mystery

From: InfoSec News (isnat_private)
Date: Tue Sep 10 2002 - 00:16:35 PDT

  • Next message: InfoSec News: "[ISN] Linux Security Week - September 9th 2002"

    By Robert Lemos 
    Staff Writer, CNET News.com
    September 9, 2002, 12:01 PM PT
    Microsoft has put a new spin on a mysterious rash of Windows 2000
    An advisory from the software giant last week warned companies of a
    number of attacks targeting servers running Windows 2000, the cause of
    which had initially puzzled Microsoft.
    After following a trail of evidence left behind on compromised Windows
    2000 servers, the company now believes that hackers have
    systematically exploited Windows 2000 servers that haven't been
    properly locked down, rather than a hole in the operating system.
    "Microsoft has determined that these attacks do not appear to exploit
    any new product-related security vulnerabilities and do not appear to
    be viral or worm-like in nature," the software giant stated in an
    advisory posted late Friday. "Instead, the attacks seek to take
    advantage of situations where (proper) precautions have not been
    The advisory from Microsoft's Product Support Services replaced an
    older one that had few details, leading it to be criticized by
    security experts as too vague to be of any help.
    The attacks are linked by a common set of software detritus, left
    behind by an attacker to help keep control of compromised boxes. The
    most recent advisory warns that "successful compromises leave a
    distinctive pattern," including a modified security policy--if the
    victim's computer is a domain controller--and files identified as
    Backdoor.IRC.Flood installs an Internet Relay Chat (IRC) client that
    allows remote and unlimited access to the compromised computer.
    In addition, the hacked computers contain a common set of files,
    including Gg.bat, Seced.bat, Nt32.ini, Ocxdll.exe and Gates.txt. The
    file Gg.bat attempts to connect to other servers as an administrator
    or root user, while Seced.bat changes the security policy. Gates.txt
    contains a list of numerical Internet addresses; the advisory didn't
    offer details as to what the addresses may correspond.
    All the compromised computers ran Microsoft's Windows 2000 operating
    Microsoft stressed in its advisory that while the attacks seem to have
    a common thread, there wasn't any proof that they exploited a weakness
    in the operating system.
    "The attackers appear to have gained entry to the systems by using
    weak or blank administrator passwords," the company said in the latest
    However, the software giant didn't explain why every computer attacked
    happened to be a Windows 2000 server. Insecure password problems
    affect all computers, not just a single version of an operating
    Microsoft recommends that all its customers protect their servers by
    eliminating weak or blank passwords, disabling the guest account,
    running up-to-date antivirus software, using firewalls to protect
    internal servers and keeping current with all security patches.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Sep 10 2002 - 02:56:40 PDT