US Army hacked via IIS hole

A March 10 computer attack on a server run by the U.S. Army using the recently disclosed Microsoft Internet Information Server (IIS) vulnerability resulted in the complete compromise of that machine and may herald the advent of a new worm in the very near future, according to security company TruSecure.

The incident was an instance of a rare "zero day" attack, in which an as-yet unreported vulnerability is used to compromise a remote system, TruSecure said.

The targeted server was a publicly addressable IIS server managed by the Army, but was not part of the Army's Web site infrastructure nor was the server performing any important functions or storing sensitive information, according to Cooper.

"It was a totally useless Web server doing nothing whatsoever," Cooper said.

The Army did not respond to requests for comment.

The Herndon, Virginia, company learned of the attack on March 11 from confidential sources within the Army and contacted Microsoft, Cooper said.

Microsoft released a critical patch for the buffer overflow vulnerability on Monday, warning that it was already aware of exploits using the vulnerability. The Redmond, Washington, company did not provide details on those exploits, however.

The flaw exists in a Windows 2000 component that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.

WebDAV is a set of extensions to HTTP (Hypertext Transfer Protocol) that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

The March 10 attack was directed specifically at the Army and was not the result of a broader or indiscriminate attack, according to Russ Cooper, Surgeon General of TruSecure.

In that attack, a specially formatted URL (Uniform Resource Locator) was used to generate a buffer overflow. After the machine was compromised, it began collecting information on the network that machine was connected to, a process known as "network mapping," according to Cooper.

"It was delivered the same way as Code Red," Cooper said.

However, unlike the Code Red worm, which hit computers worldwide in 2001, the attack on the Army server did not attempt to replicate itself, according to Cooper.

Information gained from the network mapping was sent back to the attacker using port 3389, which is used by Microsoft Terminal Services.

It is not known what information was sent from the machine. However, the IP (Internet Protocol) addresses of other machines on the network and information on what services were running would all be valuable to a malicious hacker, according to Cooper.

Because the targeted server was a low value asset, there were initially few warnings that a compromise had taken place.

Army IT personnel only became aware of the problem after noticing the increased network scanning activity emanating from the box, Cooper said.

The compromised machine also displayed a message saying "Welcome to the Unicorn Beachhead," according to Cooper.