[ISN] Microsoft Blames Hackers, Not Vulnerability, For Web Attack

From: InfoSec News (isn@private)
Date: Tue Jun 29 2004 - 06:24:01 PDT

  • Next message: InfoSec News: "[ISN] Jail for Playboy blackmailer"

    By Gregg Keizer
    TechWeb News 
    June 28, 2004 
    The Web attack that was stopped dead in its tracks on Friday when a
    Russian Web site was taken offline remained under investigation Monday
    by a host of security firms still puzzled over the method used to
    infect a number of Microsoft Internet Information Services servers.
    But the evidence now is leading them to accept Microsoft's explanation
    that the IIS 5.0 servers were hacked manually and that the server
    software doesn't have an unknown vulnerability.
    "Nobody yet knows how these servers were infected," said Ken Dunham,
    director of malicious code research at iDefense. "But if it was a
    widespread vulnerability, how come there weren't more servers
    infected? If that was the case, we should have heard reports by now
    about lots of other computers" being infected with the malicious
    JavaScript code.
    Microsoft released a statement Saturday claiming that the
    attack--which infected an unknown number of IIS servers, which, in
    turn, delivered malicious code to any Internet Explorer user who
    surfed sites hosted by those servers--"is not a worm or virus. In
    other words, this attack is a targeted manual attack by individuals or
    entities towards a specific server."
    Symantec's Corp.'s research, said Oliver Friedrichs, a senior manager
    with the company's virus response team, also leans toward manual
    hacks. "That's what it looks like," he said. "It's certainly not a
    worm or an automated exploit."
    Microsoft said that all the compromised servers were running IIS 5.0
    unpatched against a vulnerability disclosed in April. Some security
    firms last week theorized that even patched IIS systems were
    vulnerable, but that now seems to have been a false alarm.
    One security analyst who requested anonymity said that it was more
    likely that those reports originated with IT administrators trying to
    do damage control. "Perhaps they applied the patch but it didn't take,
    thought they had the patch in place but didn't, or they didn't apply
    the patch at all but now say they did. It's easier to say 'there are
    some clever hackers out there' than to admit you got caught with your
    pants down."
    An accounting of infected servers was provided Monday by Cyveillance,
    a vendor of online risk and management tools. As of Sunday,
    Cyveillance detected 641 sites that were infected by the malicious
    The company used its June audit of more than 50 million domains to
    pinpoint the 6.2 million sites known to run IIS 5.0, then collected
    and analyzed pages from those sites to test for infection. If
    Cyveillance's numbers are on the money, that means fewer than one
    hundredth of 1% of the IIS 5.0 servers in use remained compromised
    The picture is clearer on the client side, where Internet Explorer 5.0
    and 6.0 remain vulnerable to future iterations of this kind of
    malicious code delivery system. Last week's attack exploited two
    vulnerabilities in the browser, one known and patched, the other known
    but not yet fixed.
    "This is huge," argued Dunham, whose company has traced the attack to
    a well-known group of hackers dubbed HangUP, based in Russia. HangUP
    "has a new trick in their bag to attack Internet Explorer users at
    The group has accumulated hundreds of megabytes of stolen financial
    information, said Dunham, and sells it on the black market. Last
    week's attack was ultimately meant to deliver key loggers and Trojan
    horses to compromised users' machines to steal account information and
    credit-card numbers.
    Nor is the group going to stop. "Even if they sell a credit-card
    number for just $1 to $3 a pop--and they have hundreds of megabytes of
    data--you do the math," Dunham said. "A million dollars in Russia is a
    lot of money. And they're able to recruit new members because they
    have an illicit business model that works."
    In other words, expect more such attacks. "The potential for future
    attacks is real," Friedrichs said. "We could see them in a couple of
    days or a couple of weeks."
    Until the unpatched vulnerability is fixed by Microsoft, users can
    rely on a combination of safe surfing practices and some technical
    workarounds to make sure they're secure.
    Large, trusted commercial sites, said Symantec's Friedrichs, can be
    assumed to be patched against the IIS vulnerability, but smaller sites
    may not. "Use common sense when you surf," he advised.
    Other experts recommend that users execute the "kill bit" setting for
    IE within the Windows registry to disable ActiveX.
    * Create a registry key called:  
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}* Then, create a
    dword value named "Compatibility Flags" and give it a value of 400.
    Microsoft recommends that users set Internet's security to "High," but
    that setting will interfere with normal surfing. Another option is to
    download and install the still-not-final release candidate of Windows
    XP Service Pack 2, which Microsoft says isn't susceptible to this type
    of attack.
    ISN mailing list
    Sponsored by: OSVDB.org - For 15 cents a day, you could help feed an InfoSec junkie!
    (Broke? Spend 15 minutes a day on the project!)

    This archive was generated by hypermail 2b30 : Tue Jun 29 2004 - 07:34:09 PDT