Earlier today, two Microsoft Web sites fell victim to a new worm making
the rounds nicknamed the '.ida "Code Red" worm' because part of the worm
is designed to deface Web pages with the text "Hacked by Chinese" and also
because Code Red Mountain Dew was apparently the only thing that kept
employees from eEye Digital Security awake all last night to be able to
disassemble the worm in detail.
The worm propagates itself via Microsoft IIS Web servers through the .ida
buffer overflow attack published a few weeks ago. The worm then sets
itself up on the infected system and creates 99 other "threads" or
instances of the virus to spread the worm to other Web servers.
Full details of the worm can be found here:
http://www.eeye.com/html/Research/Advisories/AL20010717.html
The sites hit included the Windows Update Server
(www.windowsupdate.microsoft.com). According to the regular page:
Windows Update is the online extension of Windows that helps you get the
most out of your computer.
Also defaced was explorer.msn.com, the MSN Explorer Web site (described as Microsoft's all-in-one software that delivers
everything you need to feel at home on the Web.
This makes the 17th time a Microsoft Web site has been defaced including
the corporation's global sites in Brazil, Slovenia, New Zealand, Mexico,
UK, Saudi Arabia and South Africa as well as six servers from their
corporate headquarters.
The full list of past Microsoft targets have included:
msrconf.microsoft.com (a supposed retired MS server and the first recorded
defacement of a Microsoft server) on October 24, 1999
http://www.attrition.org/mirror/attrition/1999/10/24/msrconf.microsoft.com/CMT/
Microsoft Brazil by IZ corp defaced June 3, 2000
http://defaced.alldas.de/mirror/2000/06/03/www.microsoft.com.br/
The Microsoft Events Server by someone unknown on November 7, 2000
http://www.attrition.org/mirror/attrition/2000/11/07/events.microsoft.com
Microsoft Slovenia (defaced twice) the first time by Furia.BR on December
14, 2000 and the second time by BoLoDoRiO 3 days later
http://defaced.alldas.de/mirror/2000/12/14/www.microsoft.si/
http://www.attrition.org/mirror/attrition/2000/12/17/www.microsoft.si/
Microsoft New Zealand was defaced by Prime Suspectz on January, 23rd of
this year:
http://defaced.alldas.de/mirror/2001/01/23/www.microsoft.co.nz/
Microsoft UK, Microsoft Saudi Arabia and Microsoft Mexico were all defaced
on May 3rd, 2001 by Prime Suspectz:
http://defaced.alldas.de/mirror/2001/05/03/www.microsoft.co.uk/
http://www.attrition.org/mirror/attrition/2001/05/03/www.microsoft.com.sa/
http://www.attrition.org/mirror/attrition/2001/05/03/www.microsoft.com.mx/
Microsoft's STREAMER server was defaced by Prime Suspectz on May 7th, 2001:
http://www.attrition.org/mirror/attrition/2001/05/07/streamer.microsoft.com/
Microsoft Romānia was defaced by Pentaguard on May 17th, 2001:
http://defaced.alldas.de/mirror/2001/05/18/www.microsoft.ro/
The MSN Mobile "feeds" server was defaced by Prime Suspectz on June 21st, 2001:
http://defaced.alldas.de/mirror/2001/06/21/feeds.mobile.msn.com/
The Microsoft South Africa "interface" server was defaced by the group BlackSun:
http://defaced.alldas.de/mirror/2001/06/19/www.interface.microsoft.co.za/
Two Microsoft RTE servers were defaced by the group Prime Suspectz:
http://defaced.alldas.de/mirror/2001/06/21/redsand.rte.microsoft.com/
http://defaced.alldas.de/mirror/2001/06/21/arulk.rte.microsoft.com/
The Windows Update Server was defaced by the 'Code Red' worm:
http://www.attrition.org/mirror/attrition/2001/07/19/windowsupdate.microsoft.com/
http://www.attrition.org/mirror/attrition/2001/07/19/explorer.msn.com/
---
© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not
altered, and the author and attrition.org is credited. The opinions expressed
in this text are not necessarily the opinion of all Attrition staff members.
To subscribe to this list, send mail to majordomo@attrition.org with
subscribe defaced-commentary in the BODY of the mail.