Hackers have infiltrated an undisclosed number of US Army Web servers, taking advantage of a previously undisclosed buffer overflow vulnerability in a component of Microsoft's Windows 2000 that is used to manage the Web Distributed Authoring And Versioning (WebDAV) protocol.
Security experts are characterising the incident as a rare example of a "0-day" exploit, referring to an exploit that takes advantage of a vulnerability nobody is aware of and for which there is no available patch. However, Microsoft has now issued a fix for the vulnerability. Security vendors are also advising users that there are work-arounds that can be implemented immediately to reduce vulnerability.
WebDAV, which is installed by default with IIS Version 5.0, allows documents to be assigned properties and attributes and enables collaborative creation, editing and searching from remote locations. It also enables documents to be written via HTTP. However, if an attacker is able to run code with local system privileges on a vulnerable system, the attacker could take complete control of the system, including the ability to install programs, view, change or delete data, and create new accounts with full privileges.
According to Symantec, Microsoft IIS is estimated to run on about 25 per cent of the Internet's Web servers. That means about 4 million systems could be vulnerable.
"The component that has the overflow vulnerability is a core operating system component, not a flaw in IIS," surgeon general at TruSecure, Russ Cooper, said. "It happens that WebDAV is the attack vector."
An Army source notified Cooper last week of the attack. According to the source, administrators noticed that the exploit was conducting network mapping and outputting data on the terminal services port - port 3389 - to an unspecified region but to the same location over and over again. Cooper said using port 3389 was likely an attempt by the attacker to stay below the Army's security radar since it is normally used for encrypted traffic that sniffers would not try to decipher.
Cooper said he believed the Army was being deliberately targeted.
Instead of reporting the vulnerability to senior Microsoft managers, the Army reportedly filed a bug report online. Cooper said that may have contributed to critical time being lost in developing a fix. In fact, when Cooper called Microsoft on March 16 the company was unaware of the vulnerability, he said.
A spokesman for the Army's CIO, Patrick Swan, said the Army's information assurance office was currently studying the attack to "assess what it is that happened."
He said that the Air Force Computer Emergency Response Team might have discovered the same vulnerability.
Army sources said a file discovered on the hard drive of one of the compromised servers contained the phrase "welcome to the Unicorn beachhead."
Cooper said Unicorn could be a reference to Microsoft Jet 3.0, a database engine that was named Unicorn when it was in beta. "WebDAV leverages the technologies that Jet led to, so it may be a reference to that product. That's our best speculation," he said. Group product manager for Symantec's DeepSite Threat Management System, Dee Leiebenstein, recommended that users immediately either disable WebDAV or, if that was not possible, changed the length of the requests that wereauthorised to come into the Web server. By limiting that length you're able to reduce risk, she said.