A March 10 computer attack on a server run by the U.S. Army using the recently disclosed Microsoft Corp. Internet Information Server (IIS) vulnerability resulted in the complete compromise of that machine and may herald the advent of a new worm in the very near future, according to security company TruSecure Corp.
The incident was an instance of a rare "zero day" attack, in which an as-yet unreported vulnerability is used to compromise a remote system, TruSecure said.
The targeted server was a publicly addressable IIS server managed by the Army, but was not part of the Army's Web site infrastructure nor was the server performing any important functions or storing sensitive information, according to Cooper.
"It was a totally useless Web server doing nothing whatsoever," Cooper said.
The Army did not respond to requests for comment.
The Herndon, Virginia, company learned of the attack on March 11 from confidential sources within the Army and contacted Microsoft, Cooper said.
Microsoft released a critical patch for the buffer overflow vulnerability on Monday, warning that it was already aware of exploits using the vulnerability. The Redmond, Washington, company did not provide details on those exploits, however.
The flaw exists in a Windows 2000 component that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.
WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.
The March 10 attack was directed specifically at the Army and was not the result of a broader or indiscriminate attack, according to Russ Cooper, Surgeon General of TruSecure.
In that attack, a specially formatted URL (Uniform Resource Locator) was used to generate a buffer overflow. After the machine was compromised, it began collecting information on the network that machine was connected to, a process known as "network mapping," according to Cooper.
"It was delivered the same way as Code Red," Cooper said.
However, unlike the Code Red worm, which hit computers worldwide in 2001, the attack on the Army server did not attempt to replicate itself, according to Cooper.
Information gained from the network mapping was sent back to the attacker using port 3389, which is used by Microsoft Terminal Services.
It is not known what information was sent from the machine. However, the IP (Internet Protocol) addresses of other machines on the network and information on what services were running would all be valuable to a malicious hacker, according to Cooper.
Because the targeted server was a low value asset, there were initially few warnings that a compromise had taken place.
Army IT personnel only became aware of the problem after noticing the increased network scanning activity emanating from the box, Cooper said.
The compromised machine also displayed a message saying "Welcome to the Unicorn Beachhead," according to Cooper.
Army personnel initially rebuilt the compromised server, only to have it hacked again almost immediately.
"They didn't know that it was a new vulnerability. They just knew that (IIS) was patched and the attack was still working," Cooper said.
Army personnel registered the problem with Microsoft using a form on Microsoft's Web page, according to Cooper.
Microsoft was not immediately available for comment.
After learning of the attack on March 11, however, TruSecure contacted Microsoft about the problem directly. The company appeared to be unaware of the existence of the new vulnerability at that time, Cooper said.
"None of the people I talked to knew, and they should have known," Cooper said.
Within hours, however, the company appeared to be in a high state of alert about the problem.
"Two hours later, Microsoft said 'We're all over this,'" Cooper said.
Because a highly developed attack using the vulnerability already exists, TruSecure is predicting that a worm leveraging the new IIS security hole could appear in as little as a week.
Administrators running vulnerable versions of IIS should patch them immediately or disable WebDAV, Cooper said.