Major Internet Attack Under Way (IIS hit; Apache/SWS on VMS immune)

From: William Webb (
Date: 06/25/04

Date: 25 Jun 2004 13:18:27 -0700


Major Internet Attack Under Way

By George V. Hulme, Information Week

Internet security organizations are warning that dozens of
major Internet sites, and potentially thousands of Web sites
across the Internet, are currently under attack.

Several Web administrators from major companies said their
Windows-based Web servers were compromised despite being up
to date on security patches, security analysts reported.

"We've been watching activity since last Sunday, but it's now
hit a critical mass," says Marcus Sachs, director of the SANS
Internet Storm Center, who is in communications with Homeland
Security's National Cyber Security division about the attack.

The attack appears to be one of the most sophisticated
Internet attacks to date. The attackers are compromising and
infecting E-commerce and corporate Web sites with malicious
code. That code is used to infect Web surfers' using certain
versions of Internet Explorer.

Security experts say Web surfers visiting these sites are at
risk of having their machines infected with Trojan horse
applications, used to hijack computers, as well as keystroke
loggers, which are capable of stealing personal information
such as financial account numbers and passwords.

It's not clear if the latest Internet Explorer patches are
able to protect users' systems from becoming infected.
Internet security firm Symantec's DeepSight Threat Alert says
IE users are being infected through a known, but still
unpatched, Internet Explorer flaw.

Syamantec's BugTraq ID for the flaws are 10472 and 10473.
More information about these flaws are available at and .

Security experts have been studying the attack and are unclear about
the motive behind it. Some say the attacks can be traced to a Russian
Web IP address of known spammers; others say the attack is designed to
steal consumers' financial information.

Daniel J. Frasnelli, manager of the technical assistance center for
managed security services provider NetSec, says it started monitoring
the attack activity early Thursday and immediately notified its
security customers.

NetSec wouldn't disclose the names of the E-commerce sites under
attack, citing legal fears, but Frasnelli said infected sites include
a major auction site, an auto-pricing site, and search-engine sites.
"We all know these sites," he says.

Security researchers say it's not yet clear how the attackers have
compromised these Web sites. "It'll take some considerable forensic
examinations," says Alfred Huger, senior director of engineering for
Internet security firm Symantec.

It appears that the attackers are compromising Web servers running
Microsoft's Internet Information Services, either because they aren't
patched or through a newfound software vulnerability.

Web surfers who visit infected sites are infected via gif images or
other Web-site objects that have malicious code attached to them,
including keystroke loggers and Trojan horse applications.

"Our big concern is that there is a zero-day vulnerability in IIS,"
Sachs says.

Microsoft is investigating the attacks. The software vendor issued a
statement saying that "at 4:00 pm PT [Thursday], Microsoft began
investigating reports that some customers running unprotected versions
of IIS 5.0, a component of Windows 2000 Server, were being targeted."

Microsoft and Symantec say these sites are being hit with a malicious
application known as Download_Ject.

At 3 a.m. Friday, Microsoft issued a statement saying that "early
indications suggest" that unpatched IIS 5.0 Servers are the systems
targeted in the attack. Microsoft said the servers have not been
updated with the patch included in Microsoft security bulletin April
MS04-011. "Customers should ensure they have installed MS04-011 to
help secure against the issues corrected by that security update," the
company said.

Microsoft is also urging its customers to download and install the IE
patch included with Microsoft Security Bulletin MS04-013 and that they
"utilize high security settings" in Internet Explorer.

To help defend against the attack, Microsoft is urging consumers to
read It's
also asking its business customers to read;en-us;833633 to
"minimize risk." Microsoft corporate customers that have deployed XP
SP2 RC2 are not at risk to the attack, the company said.

Most major antivirus companies plan to update their antivirus software
to spot systems infected with the back doors and keystroke loggers
associated with this attack.

One of the suggestions I have made to HP management is that the
current state of webserver vulnerability is a golden opportunity for
HP to market an entry-level, turn-key webserver-on-VMS system.

Again, the opportunity arises.