Netscape Sees Red As FBI Warns Of New Attack

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/169122.html

By Brian McWilliams, Newsbytes
MOUNTAIN VIEW, CALIFORNIA, U.S.A.,
17 Aug 2001, 12:14 AM CST
 
A minimum of eight servers operated by America Online's Netscape
Communications division have been infected with the Code Red worm,
according to independent intrusion monitoring services.

The compromised systems, all with Internet addresses registered to
Netscape, have probed dozens of healthy computers nearby in the past
few days, in an attempt to spread the Code Red infection.

At least six of the Netscape systems were still infected today. None
of the machines responded to connection requests. Service to
Netscape's homepage and other online services appeared unaffected by
the malicious, self-propagating worm, as did the Internet properties
of its parent, AOL.

Netscape officials did not reply to interview requests.

The infiltration of Netscape's network by Code Red comes as the
Federal Bureau of Investigation issued a caution today about the
original version of the worm. According to the FBI, Code Red I will
commence a second denial of service attack against an IP address
assigned to the Web site operated by the White House at 8:00 p.m.
Eastern, Sunday August 19.

Log file entries created by at least one of the infected Netscape
servers indicate the machine has been compromised by the latest, more
dangerous variant of the worm, known as Code Red II, according to Jay
Dyson, an independent security consultant.

Using Early Bird, an automated intrusion detection system he
developed, Dyson was first to observe the compromise of Netscape's
network and report it to the company Thursday. According to Dyson, he
received no response to his e-mail to Netscape.

Many of the worms' probes were recorded by system administrators who
participate in MyNetWatchman, a free service that compiles firewall
log files from computer operators and automatically escalates serious
intrusions to the proper authorities.

Code Red II, and its predecessor, Code Red I, both target vulnerable
Windows systems running Microsoft's Internet Information Server (IIS)
software.

It was not immediately clear why Netscape, which develops its own
suite of Web server software, Netscape iPlanet, was running
Microsoft's IIS product. Nor was it apparent what task the infected
servers were originally intended to perform. In addition to a
high-traffic Web portal, Netscape operates numerous servers for
downloading iPlanet components, as well as its Navigator browser and
Communicator messaging software products. Netscape competes intensely
against Microsoft offerings in each of those services and product
lines.

Earlier this month, Microsoft battled a Code Red infection of its own
which compromised an undisclosed number of computers supporting the
company's MSN Hotmail, a free Web-based e-mail service.

While Code Red I was designed primarily to deface Web pages and launch
a denial of service attack on the White House, Code Red II does not
deface the home page of a target system. Instead, the newer worm
secretly creates what security experts call a "back door" on the
infected server, enabling the worm's author or any other attacker to
remotely take complete control of the machine.

Systems infected with both variants of Code Red automatically attempt
to spread the malicious program by probing other Internet servers to
determine if they are exposed to a security flaw discovered in June.
As they scan other systems, the worms leave a unique fingerprint in
the Web logs maintained by most servers.

By compiling log files from numerous system administrators, services
such as MyNetWatchman can help to quickly identify outbreaks of
Internet infections.

Microsoft released a patch for the vulnerability exploited by the
worm, a bug known as the IDA flaw, on June 18. But hundreds of
thousands of administrators of IIS servers failed to install it five
weeks later, when Code Red I began to spread virulently. At its peak,
the original worm burrowed into at least a quarter million IIS
machines; Code Red II quickly infected approximately 150,000 Microsoft
servers, according to the Computer Emergency Response Team (CERT), a
federally funded security clearinghouse at Carnegie-Mellon University.

Statistics compiled by Incidents.org, an intrusion reporting service
operated by the SANS Institute, indicate that machines at more than
75,000 unique Internet protocol (IP) addresses are still infected with
some form of Code Red today and actively probing other systems.

According to the FBI's National Infrastructure Protection Center
(NPIC), the threat posed by the upcoming attack is "significantly
reduced," due in part to a reduction in the number of systems infected
with Code Red I.

Last month, White House system administrators dodged the first denial
of service attack by disabling the IP address targeted by the worm and
moving the site to a different address.

Netscape Communications is at http://www.netscape.com

MyNetWatchman is at http://www.mynetwatchman.com

Early Bird is available at http://www.treachery.net/~jdyson/earlybird/

The NIPC warning is online at
http://www.nipc.gov/warnings/assessments/2001/01-018.htm

Reported by Newsbytes, http://www.newsbytes.com 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.