Web worm tests network security

dod

Seems to be daily at this stage
http://news.bbc.co.uk/2/hi/technology/3699965.stm

Web worm tests network security
More serious security problems for Microsoft software could follow in the wake of the Sasser worm.

Using vulnerabilities revealed at the same time as those exploited by the web worm, security firm IRM has demonstrated how they can be used to gain control of a Windows web server.

Using widely available exploit code for the vulnerability, IRM was able to take over a Microsoft server with just a few keystrokes.

The loophole potentially affects millions of web servers, many of which are run by financial organisations.

Hole game

On 13 April Microsoft released a security patch that fixed a series of critical vulnerabilities in many different versions of the Windows operating system.

In the patch was code that fixed problems with the way that Windows Internet Information Server 5.0 handled secure communications.

IIS 5.0 is web server software included with the Windows 2000 operating system.

Days after Microsoft announced its patch, malicious code to exploit the vulnerability appeared online.

BBC News Online was shown just how easy this code makes it to take over a vulnerable IIS 5.0 server by Phil Robinson, technical manager for security firm IRM.

Once the code was compiled using Microsoft Visual C++ the only other things needed were the internet address of a target and the number of an open working port, or net channel, on that machine.

Widely available scanning tools make it very easy to find IIS 5.0 servers on the net, not least because there are so many of them.

Internet monitoring firm Netcraft reports that there are more than 8.6m sites running IIS 5.0.

Some of these sites will be protected because they applied to patch to protect themselves against the Sasser worm but it is likely that many of them are still vulnerable.

Site seeing

Mr Robinson said most hackers looking for working net channels, or ports, would try the well-known ones for e-mail or file transfers.

Moments after loading the exploit code, adding a net address and port number the targeted server returned a prompt that gave an attacker complete control over that machine.

Mr Robinson declared himself "amazed" that the vulnerability was not getting the exposure enjoyed by the one that the Sasser worm exploited.

He said the Sasser vulnerability affected a relatively obscure part of Windows.

"But this is for a public service and it's much more predominant on the internet," he said.

Netcraft reports that there are at least 132,000 servers running the secure communications system vulnerable to the exploit that IRM used.

Many of the sites using this code are banks and other financial institutions.

There are known to be two other programs circulating that let people exploit the secure communications bug. The one IRM used has been downloaded almost 15,000 times.

Mr Robinson said that although the exploit code was released only recently it was likely that it had been used for some time before.

There is evidence that hackers have already been scanning the net for sites that are vulnerable.

The Sans Institute has noticed a spike in scans of particular ports associated with this vulnerability suggesting that some malicious or criminal hackers have been trying to exploit it for some time.

Security firm Internet Security Systems said that Australian banking websites vulnerable through the flaw have also been targeted by hacking groups.

ISS said attacks using the flaw were being launched against some of Australia's largest financial institutions.

The hacker that created the exploit code has since decided to stop releasing such code to the public.

In a note about the code he wrote: "Too many risks that kiddies around the world use it for bad purposes. I saw, that the original intention, to publish exploits, for pentesting or patch verifing (sic) purposes didn't work".