MS puzzled by server attack spree

Jeremy Fowler jfowler at westrope.com
Fri Sep 6 20:12:32 CDT 2002 

http://zdnet.com.com/2100-1105-956647.html

MS puzzled by server attack spree

By Robert Lemos
Special to ZDNet News
September 5, 2002, 4:22 AM PT

Microsoft released further details of a rash of attacks on Windows 2000 servers
that has so far stumped the software giant's research team.
In an advisory posted Aug. 30, Microsoft warned customers that several companies
had recently observed an "increased level of hacking activity." Microsoft
Product Support Services (PSS) told system administrators to be on the lookout
for Trojan horses--programs that appear to be legitimate but aren't--and for
several specific kinds of odd network behavior.

On Wednesday, Mark Miller, security specialist for the Microsoft PSS, said that
the attacks seemed to be ongoing, but at a much reduced level.

"We saw a pretty sharp spike," he said, adding that "we definitely consider this
to be hacker activity and not worm activity."

Microsoft has only been able to characterize the attacks by certain files that
each compromised machine has in common and that compromised machines have all
been running Windows 2000.

One file, "gg.bat," attempts to connect to other computers using various
administrator accounts. If successful, the file will then copy other files over
to the compromised system. This behavior is usually considered characteristic of
a worm--but Miller stressed that since the file doesn't copy itself to the
victim's hard drive, it shouldn't be considered a worm.

Another file, "seced.bat," changes security settings on the compromised system.
This attack could make it easier for a vandal to later log onto the computer and
use the system. A third file, "gates.txt," contains a list of numerical Internet
addresses. Microsoft, however, is unsure whether they are addresses of
compromised systems, computers to be targeted, or some unrelated list.

While the company wouldn't say how many machines or customers had been victims
of the attacks, Miller did say that "it has been a significant number."

With the rate of compromise apparently declining, however, Microsoft seems
willing to wait before referring incidents to the Microsoft Security Response
Center, the company's internal clearing house for information on flaws and bugs.
Miller explained that the company has not been able to determine if the attack
uses some new flaw in its operating system or just finds success because Windows
2000 system patches are out of date.

"We are still monitoring the situation and we are looking into it," said Miller.

More information about the Kclug mailing list