DoD dodged bullet on Win 2000 vulnerability; experts wait for wider attacks
- By William Jackson
- Mar 19, 2003
The Army says it was not the target of last week's zero-day exploit of a Windows 2000 weakness, as has been reported.
'To the best of our knowledge, an Army system was not attacked,' said Col. Ted Dmuchowski, director of Information Assurance of the Army's Network Technology Enterprise Command. 'According to our records, the military sites that were attacked did not belong to the Army.'
Dmuchowski's statement did not identify the target, but said the Army has responded to the threat revealed by the March 10 attack.
'We are aware of the vulnerability and we have taken measures to push the appropriate patch down to all Army networks,' he said.
Microsoft Corp. has released a patch for the vulnerability in its Windows 2000 operating systems, which is exploited through version 5 of the company's Internet Information Services. But some security experts say a broader attack could be in the offing.
The original exploit, which enters through the IIS Web-based Distributed Authoring and Versioning function, was a standalone executable aimed at a single server, said Russ Cooper, surgeon general of TruSecure Corp. of Herndon, Va. TruSecure originally reported the incident.
'I do expect that in the next seven to 10 days we're going to see a worldwide wave' of attacks, probably via an Internet worm, Cooper said Wednesday. 'And it will be effective.'
He estimated there are more than 4 million vulnerable servers worldwide. Although the patch is available, past experience shows 'the vast majority of them' won't be protected in time, he said.
Cooper initially reported that the first server compromised through the buffer overflow in was an Army box. But on Wednesday the Army reported it was not the victim.
The vulnerability lets an intruder, who submits the code with a Uniform Resource Locator request through the WebDAV function of IIS, run arbitrary code in Win 2000. WebDAV is enabled by default on IIS v.5 installations.
The X-Force lab of Internet Security Systems Inc. of Atlanta examined the attack code.
'The exploit is fairly robust,' said Dan Ingevaldson, X-Force research and development team leader. 'The copy worked very well against all of the machines we tried it on. It seems like a lot of work went into it.'
Despite the code's effectiveness, it probably was not the work of a serious cyberterrorist or of a nation, Cooper said.
'My best speculation is that it probably was an individual who wanted to get sensitive information to prove he was a better hacker than his friends,' he said.
The exploit scans the server's network and sends information back through a port usually used for encrypted traffic that would not be routinely monitored, which shows a certain level of sophistication. But if the attack had been a proof-of-concept prelude to cyberwarfare, 'he would have been attacking a little server in Timbuktu' and not a DOD server, Cooper said.
But both Cooper and Ingevaldson said development of a worm to act as a delivery vehicle for the exploit is a probability.
Dmuchowski said the zero-day exploit'given that name because the vulnerability has been exploited before developers knew of it'was not unusual. 'Hackers find vulnerabilities before vendors know about them all the time,' he said. 'In fact, that is where some vendors first find out about their vulnerabilities.'
But although hackers are often the first to find vulnerabilities, they are not always exploited immediately. Cooper called the recent incident the first zero-day attack in three years.
Despite availability of a patch for the problem, a worm spreading the exploit code could be effective because patches often are not installed immediately on many systems. Dmuchowski said he could not discuss specifics of measures taken by the Army.
'What I can say is this,' he said. 'One, we have a process in place to vet and prioritize those vulnerabilities that are of graves concern to the DOD and hence the Army. Two, while there are hundreds of vulnerabilities identified every month, very few make it to our 'A' list.'
(Updated March 19, 2003 1:35 p.m.)
William Jackson is a Maryland-based freelance writer.