All the successful attacks so far have been against servers running Windows 2000, but if this isn't due to some as-yet-undiscovered flaw in that operating system, other platforms could be equally at risk and simply haven't been targeted yet. Administrators may want to watch for suspicious activity similar to that seen in the attacks on Windows 2000. Details
Based on Microsoft's initial analysis of compromised systems, any hacked computers will contain some specific code that makes it easy to spot a successful attack. Some of these files are intended to make it easier to compromise the system again and others are legitimate files you may not have installed. The attack will leave a modified security policy in its wake on domain controllers, but it will also leave the Backdoor.IRC.Flood IRC client, which makes reentry by the hacker very simple. According to Microsoft, some of the files left during this attack have no apparent function, such as the Gates.txt file, which contains a list of IP addresses. Microsoft reports that its specialists have been unable to determine just what these addresses indicate or are used for, if anything. Of the remaining files, GG.bat will attack other servers and attempt to log on with administrator privileges, and Seced.bat alters the system's security settings. In addition, if you find good copies of Psexec, Ws_ftp, and/or Flashfxp on a system and haven't installed them yourself, the system has probably been compromised. Altered versions of MDM.exe and Taskmngr.exe are also found on compromised systems, so check those commonly installed files, especially if the Backdoor.IRC.Flood file is also detected. Microsoft reports that in addition to being Windows 2000 platforms, all the compromised systems its security experts have analyzed appeared to share one common factor: They all had very weak or blank administrator passwords. Risk level critical
Compromised systems are essentially left entirely open to the attacker and, if undetected, will remain compromised until the ICQ client is cleaned out and proper security settings are reestablished. The Microsoft notice said that a successful attack will also cause denial of service to legitimate users because they will be unable to log on to the server. Access to Active Directory snap-ins (Microsoft Management Console) is also disabled for all users. Mitigating factors
The IRC Trojan is detected by most current antivirus software with up-to-date signature files. Microsoft said this attack is succeeding only against poorly secured servers, so any system with properly configured security parameters -- especially those using strong administrator passwords -- will be safe. Although some in the security community are scoffing at this contention, no one has, to date, provided any proof of a specific vulnerability in Windows that could be the cause of this problem. Fix
Since this doesn't appear to be an actual vulnerability at this time, all you can do is clean out the infection and take steps to block future attacks. After you clean out the system of the compromised files and the ICQ back door, Microsoft recommends you follow usual security procedures, including installing or properly configuring firewall software on the affected system, eliminating the Guest account, and strengthening any administrator passwords. Details of the cleaning process aren't given in the notice, so you will probably want to contact Microsoft Support for help. Final word
Unless it turns out that there really is some new flaw in Windows 2000, Microsoft appears to have been on top of this problem. Certainly, we all know that a lot of poorly secured servers are floating around out there, so the idea that someone is attacking them through weak administrator passwords isn't that far-fetched. The fact that only Win2K systems have been affected, or at least reported, isn't necessarily an indication that the OS has a hidden flaw leaving it open to this attack. It may simply be that the vandals have targeted only Windows systems or that attacks on other platforms don't cause the same denial of service event and therefore may not have drawn much attention yet. If you have servers that don't run Windows 2000, and anything seems amiss, I would still give it a quick check for unusual activity that might be related to a similar attack. I realise that's not very helpful. With most busy servers, some kind of nagging issue is usually going on. Nevertheless, this is one more thing to be aware of.
Have your say instantly in the
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
Tech Update forum. Find out what's where in the new Tech Update with our
Guided Tour. Let the editors know what you think in the
Mailroom.
