[ISN] Experts agree on method, not scope of IIS attacks

[InfoSec News]

http://www.computerworld.com/securitytopics/security/story/0,10801,94221,00.html

By Paul Roberts
JUNE 30, 2004 
IDG NEWS SERVICE 

One day after reports of Web site attacks surfaced, there was
disagreement about how widespread the attacks were and how many
Internet users were affected by them.

Security experts on Friday said companies that failed to apply a
recent software patch for Microsoft Corp.'s Internet Information
Services (IIS) Version 5.0 Web server were vulnerable to a new
Web-based attack from an online criminal hacking group, while
Microsoft acknowledged that even individuals running the latest
patches for IIS and the Internet Explorer Web browser could be
affected if they did not make additional configuration changes. But
there were widely different accounts of the attacks impact on
companies and Internet users.

Hackers are using a recently patched hole buffer overflow
vulnerability in Microsoft's implementation of SSL (secure sockets
layer) to compromise vulnerable Windows 2000 systems running IIS,
Microsoft's Web server, said Stephen Toulouse, security program
manager in Microsoft's Security Response Center.

Microsoft patched that flaw in April when it released Security
Bulletin MS04-011, so companies that installed the patch were not
vulnerable to compromise, and attackers did not use an unknown or
"zero day" hole to compromise IIS, he said.

However, the story is more complicated for Internet users and Web
surfers. The recent attacks used two vulnerabilities in Windows and
the Internet Explorer Web browser to silently run the malicious code
on machines that visited the compromised sites, redirecting the
customers to Web sites controlled by the hackers and downloading a
Trojan horse program that captures keystrokes and personal data, he
said.

One of those vulnerabilities was in code for Microsoft's Outlook
Express e-mail client that interpreted a kind of URL known as a MIME
Encapsulation of Aggregate HTML, or MHTML URL, which allows documents
with MHTML-encoded content to be displayed in software applications
like the Internet Explorer Web browser. That vulnerability was
addressed in a security patch from Microsoft, MS04-013, also released
in April, he said.

The second vulnerability was discovered last week and Microsoft does
not have a patch for it, Toulouse said. That hole, called a "cross
zone scripting" vulnerability, allows attackers to trick Internet
Explorer into loading insecure content using relaxed security
precautions typically applied to files stored on the local hard drive
or obtained from a trusted Web site such as www.microsoft.com,
according to experts.

Even Internet Explorer users who apply the MS04-013 patch could still
be compromised, Toulouse said. Only setting the Internet Explorer
security level to "high," and having up-to-date antivirus software to
spot the Trojan horse program as it is downloaded can prevent
infection, he said.

"Due to the way this exploit utilizes an unpatched vulnerability we
were just made aware of, the mitigation here is to follow our safe
browsing guidance and have updated antivirus software," Toulouse said.

At gift basket supplier Young's Inc. in Dundee, Mich., network
administrators first became aware of the new threat on Thursday
morning, when employees, including the company's CEO, received
warnings about Trojan programs when they tried to load the company's
Intranet Web page, said Ron Guyor, a systems administrator at Young's.

The company uses IIS Version 5.0 with SSL and had not applied the
April patch, which Guyor believes was the opening hackers used to
compromise his Web server. After shutting down IIS, Guyor used
searches for recently updated files in IIS and information from online
system administrator newsgroups to locate and remove the malicious
files installed by hackers, he said.

While he is confident that desktop antivirus software from Symantec
Corp. prevented the main Trojan horse file from being installed on his
users' desktops, he's concerned about the unpatched hole in Internet
Explorer and wary that other malicious code may have also been
downloaded that Symantec's antivirus engine was not able to detect, he
said.

"Internet Explorer is a big concern. If there's something Symantec
doesn't know about yet, all you have to do is hit the wrong Web site
and [hackers] can install whatever they want to," he said.

Microsoft hasn't seen evidence of widespread attacks, despite dire
warnings from some security companies and a handful of tales like
Guyor's, Toulouse said.

"Our investigation is showing us that this is not widespread. We
haven't seen or heard a lot about this," he said.

That's the case at Network Associates Inc. (NAI), as well, according
to Vincent Gullotto, vice president of research at NAI's McAfee
Antivirus Emergency Response Team.

"We don't have significant reports of Web sites compromised or of
people sending us examples of the new Trojans," he said. "I'd rate
this a low risk if you're patched and a medium risk if you're not."

Still, other security companies reported widespread infections.

"Hundreds of thousands of computers have likely been infected in the
past 24 hours," said Ken Dunham, director of malicious code in an
e-mail statement from iDefense Inc., a security intelligence company
in Reston, Va.

Managed security company NetSec Inc., in Herndon, Va., said it has
seen infections across the majority of its customer accounts and knows
of infections at large Web hosting farms, where a small number of IIS
servers out of a large farm of servers have been compromised, said Dan
Frasnelli, manager of NetSec's Technical Assistance Center.

The confusion about the extent of attacks shouldn't be surprising,
especially given the novelty of the attack, said Chris Kraft, a senior
security analyst at Sophos PLC.

"There tends to be confusion when something new and interesting
happens. You get a broad disparity of what people say at the outset of
the attack."

Sophos didn't receive many reports from customers about the attacks.  
Still, Kraft thinks the strategy used by the virus writers makes the
IIS attacks worth noting.

"The interesting thing is the delivery mechanism. These hackers
usurped Web sites that people normally consider safe, then exploited
vulnerabilities in the Web browser to download a set of instructions,"  
he said.

If used successfully against a major Web site such as Yahoo.com or
eBay.com, the same approach could net millions of computers in just a
short time that could then be controlled using Trojan horse programs
and used to launch denial of service attacks or distribute unsolicited
commercial ("spam") e-mail, he said.

NAI's Gullotto agrees, saying that the vulnerabilities, Trojan
programs and exploits used in the attacks are well-known to IT
security experts and have been circulating on the Internet. Their
combined use in an attack is new.

"We've had all this stuff for quite a while. The deal is that it
happened -- that somebody put the pieces together," he said.