Army Server Hacked

A March 10 attack on a U.S. Army server, exploiting a newly found hole in Microsoft Internet Information Server, completely compromised the targeted system and may herald a new worm in the very near future, according to security company TruSecure.

The incident was an instance of a rare "zero day" attack, in which an as-yet unreported vulnerability is used to compromise a remote system, TruSecure representatives say.

The targeted server was a publicly addressable IIS server managed by the Army, but was not part of the Army's Web site infrastructure. The server was not performing any important functions or storing sensitive information, according to Russ Cooper, surgeon general of TruSecure.

"It was a totally useless Web server doing nothing whatsoever," Cooper said.

The Army did not respond to requests for comment.

Aftermath Expected

Microsoft released a critical patch for the new vulnerability on Monday. The software giant warned that it was already aware of exploits using the vulnerability, but did not provide details.

Because a highly developed attack using the vulnerability has already occurred, TruSecure is predicting a worm leveraging the new IIS security hole could appear in as little as a week.

The flaw exists in a Windows 2000 component that is used to handle the World Wide Web Distributed Authoring and Versioning protocol.

WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed "virtual" software development teams.

Administrators running vulnerable versions of IIS should patch them immediately or disable WebDAV, Cooper said.

Low-Profile Action

The security firm learned of the attack on March 11 from confidential sources within the Army and contacted Microsoft, Cooper said.

The March 10 attack was directed specifically at the Army and was not the result of a broader or indiscriminate attack, Cooper said.

The attacker used a specially formatted URL to generate a buffer overflow. Once the system was compromised, it began collecting information on the network it was on, a process known as "network mapping," according to Cooper.

"It was delivered the same way as Code Red," Cooper said.

However, unlike the Code Red worm, which hit computers worldwide in 2001, the attack on the Army server did not attempt to replicate itself, according to Cooper.

Information gained from the network mapping was sent back to the attacker using port 3389, which is used by Microsoft Terminal Services.

It is not known what information came from the server. However, the IP addresses of other PCs on the network and information on what services were running would be valuable to a malicious hacker, according to Cooper.

Caught By Surprise

Because the targeted server was not a critical system, the attack was not initially apparent. Army IT personnel spotted the problem after noticing the increased network scanning activity by that server, Cooper said.

The compromised system also displayed a message saying "Welcome to the Unicorn Beachhead," according to Cooper.

Army personnel initially rebuilt the compromised server, only to have it hacked again almost immediately.

"They didn't know that it was a new vulnerability. They just knew that [IIS] was patched and the attack was still working," Cooper said.

The Army also reported the problem to Microsoft online, according to Cooper. Microsoft was not immediately available for comment.

But TruSecure contacted Microsoft after learning about the attack. The software company appeared to be unaware of the new vulnerability at that time, Cooper said.

"None of the people I talked to knew, and they should have known," Cooper said.

Within hours, however, the company appeared to be in a high state of alert about the problem.

"Two hours later, Microsoft said 'We're all over this,'" Cooper said.