[ISN] Experts agree on method, not scope of IIS attacks

From: InfoSec News (isn@private)
Date: Thu Jul 01 2004 - 04:34:06 PDT

  • Next message: InfoSec News: "[ISN] High school students charged with hacking into psychologist's computer"

    By Paul Roberts
    JUNE 30, 2004 
    One day after reports of Web site attacks surfaced, there was
    disagreement about how widespread the attacks were and how many
    Internet users were affected by them.
    Security experts on Friday said companies that failed to apply a
    recent software patch for Microsoft Corp.'s Internet Information
    Services (IIS) Version 5.0 Web server were vulnerable to a new
    Web-based attack from an online criminal hacking group, while
    Microsoft acknowledged that even individuals running the latest
    patches for IIS and the Internet Explorer Web browser could be
    affected if they did not make additional configuration changes. But
    there were widely different accounts of the attacks impact on
    companies and Internet users.
    Hackers are using a recently patched hole buffer overflow
    vulnerability in Microsoft's implementation of SSL (secure sockets
    layer) to compromise vulnerable Windows 2000 systems running IIS,
    Microsoft's Web server, said Stephen Toulouse, security program
    manager in Microsoft's Security Response Center.
    Microsoft patched that flaw in April when it released Security
    Bulletin MS04-011, so companies that installed the patch were not
    vulnerable to compromise, and attackers did not use an unknown or
    "zero day" hole to compromise IIS, he said.
    However, the story is more complicated for Internet users and Web
    surfers. The recent attacks used two vulnerabilities in Windows and
    the Internet Explorer Web browser to silently run the malicious code
    on machines that visited the compromised sites, redirecting the
    customers to Web sites controlled by the hackers and downloading a
    Trojan horse program that captures keystrokes and personal data, he
    One of those vulnerabilities was in code for Microsoft's Outlook
    Express e-mail client that interpreted a kind of URL known as a MIME
    Encapsulation of Aggregate HTML, or MHTML URL, which allows documents
    with MHTML-encoded content to be displayed in software applications
    like the Internet Explorer Web browser. That vulnerability was
    addressed in a security patch from Microsoft, MS04-013, also released
    in April, he said.
    The second vulnerability was discovered last week and Microsoft does
    not have a patch for it, Toulouse said. That hole, called a "cross
    zone scripting" vulnerability, allows attackers to trick Internet
    Explorer into loading insecure content using relaxed security
    precautions typically applied to files stored on the local hard drive
    or obtained from a trusted Web site such as www.microsoft.com,
    according to experts.
    Even Internet Explorer users who apply the MS04-013 patch could still
    be compromised, Toulouse said. Only setting the Internet Explorer
    security level to "high," and having up-to-date antivirus software to
    spot the Trojan horse program as it is downloaded can prevent
    infection, he said.
    "Due to the way this exploit utilizes an unpatched vulnerability we
    were just made aware of, the mitigation here is to follow our safe
    browsing guidance and have updated antivirus software," Toulouse said.
    At gift basket supplier Young's Inc. in Dundee, Mich., network
    administrators first became aware of the new threat on Thursday
    morning, when employees, including the company's CEO, received
    warnings about Trojan programs when they tried to load the company's
    Intranet Web page, said Ron Guyor, a systems administrator at Young's.
    The company uses IIS Version 5.0 with SSL and had not applied the
    April patch, which Guyor believes was the opening hackers used to
    compromise his Web server. After shutting down IIS, Guyor used
    searches for recently updated files in IIS and information from online
    system administrator newsgroups to locate and remove the malicious
    files installed by hackers, he said.
    While he is confident that desktop antivirus software from Symantec
    Corp. prevented the main Trojan horse file from being installed on his
    users' desktops, he's concerned about the unpatched hole in Internet
    Explorer and wary that other malicious code may have also been
    downloaded that Symantec's antivirus engine was not able to detect, he
    "Internet Explorer is a big concern. If there's something Symantec
    doesn't know about yet, all you have to do is hit the wrong Web site
    and [hackers] can install whatever they want to," he said.
    Microsoft hasn't seen evidence of widespread attacks, despite dire
    warnings from some security companies and a handful of tales like
    Guyor's, Toulouse said.
    "Our investigation is showing us that this is not widespread. We
    haven't seen or heard a lot about this," he said.
    That's the case at Network Associates Inc. (NAI), as well, according
    to Vincent Gullotto, vice president of research at NAI's McAfee
    Antivirus Emergency Response Team.
    "We don't have significant reports of Web sites compromised or of
    people sending us examples of the new Trojans," he said. "I'd rate
    this a low risk if you're patched and a medium risk if you're not."
    Still, other security companies reported widespread infections.
    "Hundreds of thousands of computers have likely been infected in the
    past 24 hours," said Ken Dunham, director of malicious code in an
    e-mail statement from iDefense Inc., a security intelligence company
    in Reston, Va.
    Managed security company NetSec Inc., in Herndon, Va., said it has
    seen infections across the majority of its customer accounts and knows
    of infections at large Web hosting farms, where a small number of IIS
    servers out of a large farm of servers have been compromised, said Dan
    Frasnelli, manager of NetSec's Technical Assistance Center.
    The confusion about the extent of attacks shouldn't be surprising,
    especially given the novelty of the attack, said Chris Kraft, a senior
    security analyst at Sophos PLC.
    "There tends to be confusion when something new and interesting
    happens. You get a broad disparity of what people say at the outset of
    the attack."
    Sophos didn't receive many reports from customers about the attacks.  
    Still, Kraft thinks the strategy used by the virus writers makes the
    IIS attacks worth noting.
    "The interesting thing is the delivery mechanism. These hackers
    usurped Web sites that people normally consider safe, then exploited
    vulnerabilities in the Web browser to download a set of instructions,"  
    he said.
    If used successfully against a major Web site such as Yahoo.com or
    eBay.com, the same approach could net millions of computers in just a
    short time that could then be controlled using Trojan horse programs
    and used to launch denial of service attacks or distribute unsolicited
    commercial ("spam") e-mail, he said.
    NAI's Gullotto agrees, saying that the vulnerabilities, Trojan
    programs and exploits used in the attacks are well-known to IT
    security experts and have been circulating on the Internet. Their
    combined use in an attack is new.
    "We've had all this stuff for quite a while. The deal is that it
    happened -- that somebody put the pieces together," he said.
    Help InfoSec News with a donation: http://www.c4i.org/donation.html

    This archive was generated by hypermail 2b30 : Thu Jul 01 2004 - 06:41:34 PDT