Experts agree on method, not scope of IIS attacks

BOSTON - One day after reports of Web site attacks surfaced, there was disagreement about how widespread the attacks were and how many Internet users were affected by them.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

Security experts on Friday said companies that failed to apply a recent software patch for Microsoft Corp.'s Internet Information Services (IIS) Version 5.0 Web server were vulnerable to a new Web-based attack from an online criminal hacking group, while Microsoft acknowledged that even individuals running the latest patches for IIS and the Internet Explorer Web browser could be affected if they did not make additional configuration changes. But there were widely different accounts of the attacks' impact on companies and Internet users.

Hackers are using a recently patched hole buffer overflow vulnerability in Microsoft's implementation of SSL (secure sockets layer) to compromise vulnerable Windows 2000 systems running IIS, Microsoft's Web server, said Stephen Toulouse, security program manager in Microsoft's Security Response Center.

Microsoft patched that hole in April when it released Security Bulletin MS04-011, so companies that installed the patch were not vulnerable to compromise, and attackers did not use an unknown or "zero day" hole to compromise IIS, he said. (See: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx.)

However, the story is more complicated for Internet users and Web surfers. The recent attacks used two vulnerabilities in Windows and the Internet Explorer Web browser to silently run the malicious code on machines that visited the compromised sites, redirecting the customers to Web sites controlled by the hackers and downloading a Trojan horse program that captures keystrokes and personal data, he said.

One of those vulnerabilities was in code for Microsoft's Outlook Express e-mail client that interpreted a kind of URL (Uniform Resource Locator) known as a MIME Encapsulation of Aggregate HTML, or MHTML URL, which allows documents with MHTML-encoded content to be displayed in software applications like the Internet Explorer Web browser. That vulnerability was addressed in a security patch from Microsoft, MS04-013, also released in April, he said. (See: http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx.)

The second vulnerability was discovered last week and Microsoft does not have a patch for it, Toulouse said. That hole, called a "cross zone scripting" vulnerability, allows attackers to trick Internet Explorer into loading insecure content using relaxed security precautions typically applied to files stored on the local hard drive or obtained from a trusted Web site such as www.microsoft.com, according to experts.

Even Internet Explorer users who apply the MS04-013 patch could still be compromised, Toulouse said. Only setting the Internet Explorer security level to "high," and having up-to-date antivirus software to spot the Trojan horse program as it is downloaded can prevent infection, he said.

"Due to the way this exploit utilizes an unpatched vulnerability we were just made aware of, the mitigation here is to follow our safe browsing guidance and have updated antivirus software," Toulouse said.

At gift basket supplier Young's Inc. in Dundee, Michigan, network administrators first became aware of the new threat on Thursday morning, when employees, including the chief executive officer of the company, received warnings about Trojan programs when they tried to load the company's Intranet Web page, said Ron Guyor, a systems administrator at Young's.

The company uses IIS Version 5.0 with SSL and had not applied the April patch, which Guyor believes was the opening hackers used to compromise his Web server. After shutting down IIS, Guyor used searches for recently updated files in IIS and information from online system administrator news groups to locate and remove the malicious files installed by hackers, he said.

While he is confident that desktop antivirus software from Symantec Corp. prevented the main Trojan horse file from being installed on his users' desktops, he's concerned about the unpatched hole in Internet Explorer and wary that other malicious code may have also been downloaded that Symantec's antivirus engine was not able to detect, he said.

"Internet Explorer is a big concern. If there's something Symantec doesn't know about yet, all you have to do is hit the wrong Web site and (hackers) can install whatever they want to," he said.

Microsoft hasn't seen evidence of widespread attacks, despite dire warnings from some security companies and a handful of tales like Guyor's, Toulouse said.

"Our investigation is showing us that this is not widespread. We haven't seen or heard a lot about this," he said.

That's the case at Network Associates Inc. (NAI), as well, according to Vincent Gullotto, vice president of research at NAI's McAfee Antivirus Emergency Response Team.

"We don't have significant reports of Web sites compromised or of people sending us examples of the new Trojans," he said. "I'd rate this a low risk if you're patched and a medium risk if you're not."

Still, other security companies reported widespread infections.

"Hundreds of thousands of computers have likely been infected in the past 24 hours," said Ken Dunham, director of malicious code in an e-mail statement from iDefense Inc., a security intelligence company in Reston, Virginia.

Managed security company NetSec Inc., in Herndon, Virginia, said it has seen infections across the majority of its customer accounts and knows of infections at large Web hosting farms, where a small number of IIS servers out of a large farm of servers have been compromised, said Dan Frasnelli, manager of NetSec's Technical Assistance Center.

The confusion about the extent of attacks shouldn't be surprising, especially given the novelty of the attack, said Chris Kraft, a senior security analyst at Sophos PLC.

"There tends to be confusion when something new and interesting happens. You get a broad disparity of what people say at the outset of the attack."

Sophos did not receive many reports from customers about the attacks. Still, Kraft thinks the strategy used by the virus writers makes the IIS attacks worth noting.

"The interesting thing is the delivery mechanism. These hackers usurped Web sites that people normally consider safe, then exploited vulnerabilities in the Web browser to download a set of instructions," he said.

If used successfully against a major Web site such as Yahoo.com or eBay.com, the same approach could net millions of computers in just a short time that could then be controlled using Trojan horse programs and used to launch denial of service attacks or distribute unsolicited commercial ("spam") e-mail, he said.

NAI's Gullotto agrees, saying that the vulnerabilities, Trojan programs and exploits used in the attacks are well-known to information technology security experts and have been circulating on the Internet. Their combined use in an attack is new.

"We've had all this stuff for quite a while. The deal is that it happened -- that somebody put the pieces together," he said.