A computer attack on a server on 10 March run by the US Army resulted in the complete compromise of that machine and may herald the advent of a new worm in the very near future, security company TruSecure warned.
The server was running Microsoft Windows 2000 with Internet Information Server (IIS), but was not part of the Army's website infrastructure, nor was the server performing any important functions or storing sensitive information, according to TruSecure surgeon general Russ Cooper.
Army IT personnel only became aware of the problem after noticing the increased network scanning activity emanating from the box, and the machine also displayed a message saying "Welcome to the Unicorn Beachhead".
Army personnel initially rebuilt the compromised server, only to have it hacked again almost immediately. "They didn't know that it was a new vulnerability. They just knew that [IIS] was patched and the attack was still working," Cooper said.
After learning of the attack, TruSecure contacted Microsoft about the problem, and Microsoft appeared to be unaware of the existence of the new vulnerability at that time.
Within hours, however, Microsoft appeared to be in a high state of alert about the problem.
Colonel Ted Dmuchowski, director of information assurance in the Army's Network Technology Enterprise Command denied the attack had taken place.
"To the best of our knowledge, an Army system was not attacked," he insisted. "According to our records, the military sites that were attacked did not belong to the Army."
Dmuchowski said the Army was aware of the IIS vulnerability, however, and was taking steps to patch all of its affected networks.
TruSecure learned of the attack from confidential sources within the Army and contacted Microsoft, which released a critical patch for the buffer overflow vulnerability, warning that it was already aware of exploits using the vulnerability. Microsoft did not provide details on those exploits, however.
The flaw exists in a Windows 2000 component that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.
WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.
In the attack, a specially formatted URL was used to generate a buffer overflow. After the machine was compromised, it began collecting information on the network that machine was connected to, a process known as "network mapping," according to Cooper.
"It was delivered the same way as Code Red," Cooper said, although the attack on the Army server did not attempt to replicate itself.
Information gained from the network mapping was sent back to the attacker using port 3389, which is used by Microsoft Terminal Services.
It is not known what information was sent from the machine. However, the IP addresses of other machines on the network and information on what services were running would all be valuable to a malicious hacker, Cooper said.
Because a highly developed attack using the vulnerability already exists, TruSecure predicted that a worm exploiting the new IIS security hole could appear in as little as a week, and advised administrators running vulnerable versions of IIS to patch them immediately or disable WebDAV.
Yesterday Microsoft announced that the MS03-007 patch was incompatible with 12 software fixes for Windows 2000 issued by Microsoft's Product Support Services (PSS) between December 2001 and February 2002.