Experts await wider attacks against Windows 2000 vulnerability

Microsoft Corp. has released a patch for the rare zero-day exploit of a weakness in its Windows 2000 operating systems, but some security experts say a broader attack could be in the offing.

The original exploit, which uses Microsoft's Internet Information Services as a vector, was a standalone executable aimed at a single server, said Russ Cooper, surgeon general of TruSecure Corp. of Herndon, Va. TruSecure originally reported the March 10 incident.

"I do expect that in the next seven to 10 days we're going to see a worldwide wave" of attacks, probably via an Internet worm, Cooper said. "And it will be effective."

He estimated there are more than 4 million vulnerable servers worldwide. Although the patch is available, past experience shows "the vast majority of them" won't be protected in time, he said.

Cooper initially reported that the first server compromised through the buffer overflow in the IIS Web-based Distributed Authoring and Versioning function was an Army box. He said today it might not have been an Army machine, but probably was within the Defense Department.

The Army said Wednesday it was not the target.

"To the best of our knowledge, an Army system was not attacked," said Col. Ted Dmuchowski, director of Information Assurance of the Army's Network Technology Enterprise Command. "According to our records, the military sites that were attacked did not belong to the Army."

The attack was unusual because the vulnerability was not known until the exploit was seen in the wild, making it difficult to defend against.

The vulnerability that lets an intruder run arbitrary code is in Win 2000. It is reached through the WebDAV function of IIS, which is enabled by default on IIS 5 installations.

The X-Force lab of Internet Security Systems Inc. of Atlanta examined the attack code.

"The exploit is fairly robust," said Dan Ingevaldson, X-Force research and development team leader. "The copy worked very well against all of the machines we tried it on. It seems like a lot of work went into it."

Despite the code's effectiveness, it probably was not the work of a serious cyberterrorist or of a nation, Cooper said.

"My best speculation is that it probably was an individual who wanted to get sensitive information to prove he was a better hacker than his friends," he said.

The exploit scans the server's network and sends information back through a port usually used for encrypted traffic that would not be routinely monitored, which shows a certain level of sophistication. But if the attack had been a proof-of-concept prelude to cyberwarfare, "he would have been attacking a little server in Timbuktu" and not a DOD server, Cooper said.

But both Cooper and Ingevaldson said development of a worm to act as a delivery vehicle for the exploit is a probability. Given the large number of vulnerable machines, the fact that many users are not aware IIS is running on their servers and the fact that WebDAV is turned on by default, the risk of serious damage is real.

(Updated March 19, 2003 1:43 p.m.)