Malicious Web Attacks May Be New IIS Worm - MS issues new patch

posted onJuly 17, 2001
by hitbsecnews

A new Internet worm may be on the loose and could have already infected thousands of sites running Web server software from Microsoft, security experts warned Monday. Since late last week, a malicious program has been scanning the Internet and compromising Microsoft systems running unpatched versions of the Internet Information Server (IIS), according to independent reports.

Experts who have reviewed the signature of the code left behind in Web server logs said it appears to exploit a buffer overflow flaw in IIS that was discovered by eEye Digital Security and published last month. In a bulletin released June 18, Microsoft said the flaw could enable an attacker to take complete control of vulnerable IIS systems. The company has released a patch to correct the vulnerability....

Malicious Web Attacks May Be New IIS Worm

By Brian McWilliams, Newsbytes

According to Marc Maiffret, chief hacking officer for eEye, a preliminary analysis by the security software firm of log files and a copy of the program obtained from victim sites suggests it may be a self-propagating worm designed to scan the Internet for IIS machines vulnerable to the ".ida attack" and to automatically deface their homepages.

According to Maiffret, the defaced page contains a simple message in all red letters: "Welcome to http://www.worm.com! Hacked By Chinese!"

After infecting an IIS system, the program continues randomly scanning the Internet for other unpatched IIS machines.

Besides performing defacements, some of the commands recorded in victims' server logs indicate the code may also be pulling a program off the Internet that creates a backdoor on the compromised server, according to Maiffret.

The malicious code can be identified by its attempts to access a flawed IIS file named default.ida on the victim computer. The code also appears to make a connection to a Web server located at worm.com.

The role of the worm.com site is still a mystery, according to Richard Bejtlich, a network security engineer for Ball Aerospace who has encountered non-IIS client machines that were scanned but not compromised by the code.

"It's possible that the program is calling home to papa. But all we know for sure is that there is exploit code that is very actively looking for these vulnerable IIS systems. How your system will be abused once it's compromised, that's still fuzzy," said Bejtlich.

Roy Messer, the owner of the worm.com domain, told Newsbytes that he has no connection to the malicious code, but over the weekend he received eight telephone calls from angry system administrators hit by the program.

"People are accusing me. But I have nothing to do with this thing. I'm a victim too," said Messer, who originally registered the domain hoping to develop it as a search site. At present, the worm.com site re-directs visitors to a page at the goto.com search engine.

William VanVorst, chief technical officer for NationalNet, Inc., the Georgia-based Internet service provider which hosts worm.com, told Newsbytes that the site is running on a Unix server and does not appear to have been compromised by attackers.

"All I know is hundreds of hosts out there, many of them from Asia, are trying to access this site, but we don't know why," said VanVorst, who added that the impact on the ISP's routers has been like a distributed denial of service attack. The firm has since put filters in place to block the Internet addresses of the hosts.

Similarly, the administrator of one site compromised by the worm reported to Maiffret that 5,000 unique IIS systems subsequently probed the site over port 80, a port designated for TCP web requests.

The new malicious program resembles an Internet worm reported in May. The Sadmind worm turned unpatched Sun Solaris servers into robots which silently scanned for Windows NT or 2000 systems running IIS and defaced their home pages with an anti-American message.

Earlier this month, a Japanese hacker published source code to a program designed to remotely exploit the ida vulnerability. According to Maiffret, because the hacker coded the exploit specifically to attack the Japanese-language version of Windows NT, the program will simply crash non-Japanese servers rather than giving the attacker control of them.

Microsoft's bulletin on the ida vulnerability is here:

http://www.microsoft.com/technet/security/bulletin/MS01-033.asp .

EEye's advisory on the bug is at

http://www.eeye.com/html/Research/Advisories/AD20010618.html .

Reported by Newsbytes, http://www.newsbytes.com .

Source

Tags

Networking

You May Also Like

Other Articles In This Section

Recent News

Tuesday, July 9th

China's APT40 gang is ready to attack vulns within hours or days of public release
AI-Powered Super Soldiers Are More Than Just a Pipe Dream
The president ordered a board to probe a massive Russian cyberattack. It never did.
Massive car dealer ransom attack is mostly over after 2 weeks of work-arounds

Wednesday, July 3rd

“RegreSSHion” vulnerability in OpenSSH gives attackers root on Linux
Two of the German military’s new spy satellites appear to have failed in orbit

Friday, June 28th

Indonesian Airports, Data Centres Hit By Worst Cyberattack in Years
Cisco Talos warns of wider security implications following Snowflake breach

Thursday, June 27th

I Wore Meta Ray-Bans in Montreal to Test Their AI Translation Skills. It Did Not Go Well
Researchers upend AI status quo by eliminating matrix multiplication in LLMs
YouTube tries convincing record labels to license music for AI song generator
Critical MOVEit vulnerability puts huge swaths of the Internet at severe risk
Julian Assange to plead guilty but is going home after long extradition fight

Thursday, June 13th

Hackers show off jailbroken checkm8-vulnerable iPad and Apple TV running iPadOS 18 & tvOS 18 respectively
One of the major sellers of detailed driver behavioral data is shutting down
Turkish student creates custom AI device for cheating university exam, gets arrested

Wednesday, June 12th

Chinese-Made Biometric Access System Has 24 Vulnerabilities
Apple and OpenAI currently have the most misunderstood partnership in tech
Adobe to update vague AI terms after users threaten to cancel subscriptions
China state hackers infected 20,000 Fortinet VPNs

Tuesday, June 11th

Russia Is Targeting Germany With Fake Information as Europe Votes
Apple announces macOS 15 Sequoia with window tiling, iPhone mirroring, and more
Apple integrates ChatGPT into Siri, iOS, and macOS
British police to scan 480,000 Formula 1 fans’ faces at Silverstone
Hackers steal “significant volume” of data from hundreds of Snowflake customers

Friday, June 7th

7,000 LockBit decryption keys now in the hands of the FBI, offering victims hope
FCC pushes ISPs to fix security flaws in Internet routing
Can a technology called RAG keep AI models from making stuff up?
How to Lead an Army of Digital Sleuths in the Age of AI

Thursday, June 6th

Mystery object waits nearly an hour between radio bursts
Apple refused to pay bug bounty to Russian cybersecurity firm Kaspersky Lab
Ex-Microsoft security expert torches Windows' new 'Recall' feature
The Age of the Drone Police Is Here

Wednesday, June 5th

Ukrainian Systems Hit by Cobalt Strike Via a Malicious Excel File
TikTok Hack Targets ‘High-Profile’ Users via DMs