Military Web server hacked

Windows 2000 Security Patch

A hacker last week exploited a previously unknown vulnerability in Microsoft Corp.'s Windows 2000 operating system to gain control of a military Web server, and the extent of the damage done is still unknown.

Russ Cooper, surgeon general at TruSecure Corp. — a provider of managed security services — said the hacker used an attack code to operate the system as if he or she had the highest security clearance and therefore was able to gain complete control of the system.

The hacker, whose identity also is still unknown, could "get to any data on that system, or execute any program," Cooper said, adding that the attack occurred March 10. He said that he was notified unofficially a day later by an Army source and then he contacted Microsoft for verification that the company had been notified.

Cooper said the Army source identified the problem after performing a network scan and finding data output from a port on one of its internal servers to an "unspecified region."

However, an Army official said that "an Army system was not attacked."

"According to our records, the military sites that were attacked did not belong to the Army," said Col. Ted Dmuchowski, director of information assurance at the Army's Network Enterprise Technology Command. "That being said, we do consider operating and defending the Army's computer networks to be no different than managing and defending the physical battlefield.

"We are aware of the vulnerability in the...server software and we have taken measures to push the appropriate patch down to all Army networks. For security reasons, we don't discuss operational issues; that is, we don't discuss what specific measures we take under these circumstances."

Both Microsoft and Carnegie Mellon University's CERT Coordination Center issued security warnings about the "buffer overflow" vulnerability and Microsoft has developed a patch to fix it. The patch is available for free on Microsoft's Web site.

The vulnerability affects systems running Microsoft Windows 2000 with Internet Information Server (IIS) 5.0 enabled. IIS 5.0 runs by default on Microsoft Windows 2000 server products and includes support for the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol, which allows users to upload and download files stored on a Web server. According to TruSecure, the code exploits an unchecked buffer in the WebDAV protocol.

"By sending a specially crafted request to an IIS 5.0 server, an attacker may be able to execute arbitrary code in the local system security context, essentially giving the attacker compete control of the system," according to the CERT bulletin. "Note that this may be significantly more serious than a simple 'Web defacement.'"

Exactly which military computer was attacked, the sensitivity of the data contained on the system, and the attacker's intentions are still unknown. But Cooper said he doubts it was a critical site because the service did not have a standard operating procedure in place to execute after they found the flaw. Also, sources at the Pentagon told Cooper that they knew nothing of the attack.

"The [military] did all the wrong things first," Cooper said. The service first took down the affected machine and rebuilt it, which not only could have lost valuable forensic evidence, but also left the rebuilt computer vulnerable to another attack.

Then, the personnel reported the bug to a general Microsoft Web site, where it languished for a few hours before the company responded, Cooper said. They also blocked the outbound port in an effort to keep the attacker from exporting data, but the hacker could have simply changed the port he or she was using or used multiple ports simultaneously, he said.

Microsoft's director of security assurance, Steve Lipner, told MSNBC that several customers were hit with the attack last week, but refused to identify them. He added that about 100 employees worked "around the clock" last week, and through the weekend, to develop the emergency fix.

Compounding the surprising nature of an attack on a Defense Department system is the fact that this was a previously unknown vulnerability, or "zero-day exploit," which are extremely rare in the computer security arena. Vendors often issue patches before hackers have infiltrated a system.

The hacker also left behind a file with the phrase, "Welcome to the Unicorn beachhead," Cooper said.

He said TruSecure tracks more than 8,000 hackers worldwide and none use the name Unicorn, although Microsoft has a database access product that was code-named Unicorn. Cooper said he thinks the message was a reference to that product and the company.

TruSecure offered assistance to Microsoft and the military, but was denied and not granted access to the attack code or output, he said.