A computer intruder armed with a secret, particularly effective attack tool recently took control of U.S. military Web server. Both Microsoft and the CERT Coordination Center released hastily-prepared warnings about the vulnerability that led to the attack on Monday. But it was a disturbingly successful attack, experts say, because the intruder found and exploited a flaw that took security researchers completely by surprise.
IT’S UNKNOWN WHAT computer was attacked, how significant a target it was, or what the intruder’s intentions were. But the exploit was sophisticated and well designed, and it was alarmingly successful, said Russ Cooper, security researcher for TruSecure Corp. The company learned of the attack through sources in the U.S. military last Tuesday, Cooper said.
“We believe the military was being targeted,” Cooper said. “We don’t believe anybody else has been targeted by this.”
Cooper had previously said specifically that a U.S. Army computer was attacked, but later revised his assertion and said he wasn’t sure which branch of the U.S. military was hit.
Another source told MSNBC.com that several Web sites with “.mil” domain names have recently been targeted with the same attack method.
Col. Ted Dmuchowski, director of information assurance for the U.S. Army’s Network Technology Enterprise Command, confirmed that a U.S. military computer was targeted, but said the U.S. Army was not.
“To the best of our knowledge, an Army system was not attacked,” he said in an e-mail to MSNBC.com. “According to our records, the military sites that were attacked did not belong to the Army.”
Microsoft’s director of security assurance, Steve Lipner, confirmed that several customers were hit with the attack last week, but he refused to identify them.
(MSNBC is a Microsoft - NBC joint venture.)
Lipner said about 100 employees worked “around the clock” last week, and through the weekend, to develop an emergency fix.
While the timing of the revelation could raise suggestions that the attack might be connected to the potential armed conflict between the United States and Iraq, there is no reason to connect the two events, Cooper said.
The flaw was made worse by the fact it took computer security experts by surprise. Most of the time, software vulnerabilities are discovered by researchers, who publish them and give computer administrators time to defend against the flaw. But this time, the “bad guys” knew about it first — leaving any computer helpless to the attack.
“Having attacks reported to us where there’s a vulnerability for which there isn’t a patch is very unusual,” Lipner said.
In the computer security world, such secret vulnerabilities are called “zero-day exploits.” It’s been at least a year since a significant zero-day exploit was revealed, said Chris Rouland, director of Internet Security Systems’ X-Force research team. Because hackers have the upper hand in this vulnerability, “this has a very high degree of urgency,” Rouland said.
The flaw allows an attacker to break into computers running Microsoft’s Windows 2000 operating system and Microsoft’s Internet Information Service Web server product — probably the most popular configuration for Web servers running Microsoft software, Rouland said. All machines are vulnerable by default.
Administrators are advised to immediately install a patch that was quickly developed by Microsoft. It is available for free at the company’s Web site.
CERT’s warning about the flaw is sober. “Any attacker who can reach a vulnerable Web server can gain complete control of the system,” it says. “Note that this may be significantly more serious than a simple ‘Web defacement.’”
Shawn Hernan, Vulnerability Handling Team leader for CERT, described the problem as a “first-class vulnerability” because it allows attackers to take control of a machine from anywhere on the Internet. He said there were “rumors circulating” that it had already been used to attack computers, but “we wouldn’t comment on that.”
The most intriguing part of the attack is that its developer chose to use it to break into U.S. military computers. Also intriguing was a cryptic message left on the attacked computer that read “Welcome to the Unicorn beachhead,” Cooper said.
“I think whoever discovered it had an intent in mind,” he said. “If they just wanted to deface a Web site, they would have done that to the first box they found. But they were doing network mapping. They found a weak link somewhere, and wanted to get deeper inside by continuing to probe.”