Attackers target Microsoft software, group says

Attackers target Microsoft software, group says

When it comes to Web site vandalism, hackers stick with what they know: NT operating systems

By William Jackson

GCN Staff

Server software from Microsoft Corp. is the favored target of vandals who deface Web pages, according to a spokesman for, a computer security site.

The U.S. commercial .com domain is the most popular with vandals, although the bragging rights that go with hitting a .gov civilian or .mil military site also make those domains attractive targets,'s Brian Martin said.

The site maintains a mirrored archive of pages that have been defaced, along with a number of other computer security resources. The site has accumulated information about nearly 7,000 incidents dating back to September 1996 and has been doing its own investigations of defacements since last year.

When is notified of a defacement'by the victim, a third party or sometimes by the hacker'the organization staff visits the site to confirm the attack, scan it for Web server software and operating system, and make a mirror image of the defaced page. The hacker's work is analyzed for identifiable traits, such as Hypertext Markup Language coding style, misspellings, repeated use of certain elements and inclusion of names.

Lack of Unix knowledge may account for the hacker preference for Microsoft targets, according to Brian Martin of

The organization keeps statistics on recognizable individuals or groups involved.

Accurate data about such incidents can be difficult to come by, and does not claim high accuracy for its figures. Information prior to last year is suspect because it was gathered from other sources instead of by first-hand examination. But some trends in the Attrition numbers stand out.

'Defacements are increasing in number,' Martin said.
''s figures show about 2,800 defacements reported through July of this year, compared with about 1,600 for the same period last year and about 3,750 reported in all of last year. The number of attacks seems to be keeping pace with the number of Web servers deployed.

Martin described most of the vandals who attack sites as 'not bright. Most defacements are sloppy, and they leave a forensic trail,' he said.

Matter of choice

Lack of Unix expertise, he said, might explain vandals' preference for Microsoft Internet Information Server, which runs under Windows NT. Although Apache Hypertext Transfer Protocol software from Apache Group of Forest Hill, Md., is the most common Web server application, Microsoft's IIS accounted for 56 percent of the defacements documented by the organization from August 1999 through July 2000. Apache came in a distant second at 28 percent.

'It takes little knowledge to deface an NT page,' Martin said. The NT operating system dominated the defacements reported for the same time period, at 63 percent. Linux and SunSoft Solaris lagged far behind NT.

The .com domain had 2,881 documented incidents since September 1996, more than 40 percent of the total. The .gov domain accounted for 277 incidents, 48 of them on NASA sites alone. In the .mil domain, Navy sites suffered 55 of 146 defacements reported. notifies victims that they have been attacked and also has an e-mail subscription list.

'When almost any government agency is hacked, the next day the administrator subscribes to one of our mail lists,' Martin said.

The group has been accused of encouraging defacement by maintaining a public archive of hacked sites at

'This is far from the truth,' Martin said. Attrition's is only one of a number of mirror sites, he said, and it collects valuable forensic evidence for identifying and tracking hackers.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected