Previously undiscovered flaw used to attack Army Web site.
A computer intruder armed with a secret, particularly effective attack tool recently took control of an Army Web server, MSNBC.com has learned. Both Microsoft and the CERT Coordination Center released hastily-prepared warnings about the vulnerability that led to the attack on Monday. But it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise.
IT'S UNKNOWN WHAT Army computer was attacked, how significant a target it was, or what the intruder's intentions were. But the exploit was sophisticated and well designed, and it was alarmingly successful, said Russ Cooper, security researcher for TruSecure Corp. The company learned of the attack through sources in the U.S. military last Tuesday, Cooper said.
"We believe the Army was being targeted," Cooper said. "We don't believe anybody else has been targeted by this."
Another source told MSNBC.com that several Web sites with ".mil" domain names have recently been targeted with the same attack method.
Microsoft's director of security assurance, Steve Lipner, confirmed that several customers were hit with the attack last week, but he refused to identify them.
(MSNBC is a Microsoft - NBC joint venture.)
Lipner said about 100 employees worked "around the clock" last week, and through the weekend, to develop an emergency fix.
Call to the U.S. Army's press office weren't immediately returned.
While the timing of the revelation could raise suggestions that the attack might be connected to the potential armed conflict between the United States and Iraq, there is no reason to connect the two events, Cooper said.
The flaw was made worse by the fact it took computer security experts by surprise. Most of the time, software vulnerabilities are discovered by researchers, who publish them and give computer administrators time to defend against the flaw. But this time, the "bad guys" knew about it first -- leaving any computer helpless to the attack.
"Having attacks reported to us where there's a vulnerability for which there isn't a patch is very unusual," Lipner said.
In the computer security world, such secret vulnerabilities are called "zero-day exploits." It's been at least a year since a significant zero-day exploit was revealed, said Chris Rouland, director of Internet Security Systems' X-Force research team. Because hackers have the upper hand in this vulnerability, "this has a very high degree of urgency," Rouland said.
The flaw allows an attacker to break into computers running Microsoft's Windows 2000 operating system and Microsoft's Internet Information Service Web server product -- probably the most popular configuration for Web servers running Microsoft software, Rouland said. All machines are vulnerable by default.
Administrators are advised to immediately install a patch that was quickly developed by Microsoft. It is available for freeat the company's Web site.
CERT's warning about the flaw is sober. "Any attacker who can reach a vulnerable Web server can gain complete control of the system," it says. "Note that this may be significantly more serious than a simple 'Web defacement.'"
Shawn Hernan, Vulnerability Handling Team leader for CERT, described the problem as a "first-class vulnerability" because it allows attackers to take control of a machine from anywhere on the Internet. He said there were "rumors circulating" that it had already been used to attack computers, but "we wouldn't comment on that."
The most intriguing part of the attack is that its developer chose to use it to break into U.S. military computers. Also intriguing was a cryptic message left on the attacked computer that read "Welcome to the Unicorn beachhead," Cooper said.
"I think whoever discovered it had an intent in mind," he said. "If they just wanted to deface a Web site, they would have done that to the first box they found. But they were doing network mapping. They found a weak link somewhere, and wanted to get deeper inside by continuing to probe." Full Story