Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Malicious Web Attacks May Be New IIS Worm

Malicious Web Attacks May Be New IIS Worm

by phiber on July 17th, 2001 A new Internet worm may be on the loose and could have already infected thousands of sites running Web server software from Microsoft, security experts warned Monday. Since late last week, a malicious program has been scanning the Internet and compromising Microsoft systems running unpatched versions of the Internet Information Server (IIS), according to independent reports. Experts who have reviewed the signature of the code ...



...left behind in Web server logs said it appears to exploit a buffer overflow flaw in


IIS that was discovered by eEye Digital Security and published last


month. In a bulletin released June 18, Microsoft said the flaw could


enable an attacker to take complete control of vulnerable IIS


systems. The company has released a patch to correct the


vulnerability.

According to Marc Maiffret, chief hacking officer for eEye, a


preliminary analysis by the security software firm of log files and


a copy of the program obtained from victim sites suggests it may be


a self-propagating worm designed to scan the Internet for IIS


machines vulnerable to the ".ida attack" and to automatically deface their homepages.



According to Maiffret, the defaced page contains a simple message


in all red letters: "Welcome to http://www.worm.com! Hacked By


Chinese!"



After infecting an IIS system, the program continues randomly


scanning the Internet for other unpatched IIS machines.


Besides performing defacements, some of the commands recorded in


victims' server logs indicate the code may also be pulling a program


off the Internet that creates a backdoor on the compromised server,


according to Maiffret.



The malicious code can be identified by its attempts to access a


flawed IIS file named default.ida on the victim computer. The code


also appears to make a connection to a Web server located at


worm.com.



The role of the worm.com site is still a mystery, according to


Richard Bejtlich, a network security engineer for Ball Aerospace who


has encountered non-IIS client machines that were scanned but not


compromised by the code.



"It's possible that the program is calling home to papa. But all we


know for sure is that there is exploit code that is very actively


looking for these vulnerable IIS systems. How your system will be


abused once it's compromised, that's still fuzzy," said Bejtlich.



Roy Messer, the owner of the worm.com domain, told Newsbytes that


he has no connection to the malicious code, but over the weekend he


received eight telephone calls from angry system administrators hit


by the program.



"People are accusing me. But I have nothing to do with this thing.


I'm a victim too," said Messer, who originally registered the domain


hoping to develop it as a search site. At present, the worm.com site


re-directs visitors to a page at the goto.com search engine.



William VanVorst, chief technical officer for NationalNet, Inc.,


the Georgia-based Internet service provider which hosts worm.com,


told Newsbytes that the site is running on a Unix server and does


not appear to have been compromised by attackers.



"All I know is hundreds of hosts out there, many of them from Asia,


are trying to access this site, but we don't know why," said


VanVorst, who added that the impact on the ISP's routers has been


like a distributed denial of service attack. The firm has since put


filters in place to block the Internet addresses of the hosts.



Similarly, the administrator of one site compromised by the worm


reported to Maiffret that 5,000 unique IIS systems subsequently


probed the site over port 80, a port designated for TCP web requests.


The new malicious program resembles an Internet worm reported in


May. The Sadmind worm turned unpatched Sun Solaris servers into


robots which silently scanned for Windows NT or 2000 systems running


IIS and defaced their home pages with an anti-American message.


Earlier this month, a Japanese hacker published source code to a


program designed to remotely exploit the ida vulnerability.



According to Maiffret, because the hacker coded the exploit


specifically to attack the Japanese-language version of Windows NT,


the program will simply crash non-Japanese servers rather than giving the attacker control of them.




Microsoft's bulletin on the ida vulnerability is here.



EEye's advisory on the bug is here.



by Newsbytes, http://www.newsbytes.com.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »