Old Worm Strikes Security Contractor - Report

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/169660.html

By Brian McWilliams, Newsbytes
ALEXANDRIA, VIRGINIA, U.S.A.,
01 Sep 2001, 12:34 AM CST
 
A Web server operated by Veridian Corporation has been infected with
the Sadmind Worm, according to a report by a French hacking
information site.

In an online article published Monday, Kitetoa.com claimed that it had
discovered evidence that Veridian's site was compromised by Sadmind, a
self-propagating worm that replaces the homepage on infected sites
with a profane, anti-American message in red letters on a black
background.

Officials from Veridian, a U.S. government contractor that specializes
in network security management, were not immediately available for
comment.

Kitetoa has published a image of the Veridian defacement at its Web
site. The page at Veridian's site, http://www.veridian.com/upload/,
was not viewable today.

The Sadmind worm, first identified in May, turns vulnerable Sun
Microsystems servers running the Solaris operating system into robots
that deface sites running unpatched versions of Microsoft's Internet
Information Server (IIS) software.

According to Netcraft.com, Veridian is running Microsoft's IIS version
5 on Windows 2000.

Last week, the Defense Intelligence Agency announced that it is
awarding a contract to Veridian to assist the agency in analyzing
network intrusions on Department of Defense networks.

Kitetoa has a penchant for showing up high-profile Internet companies.

In March this year, Kitetoa discovered that two servers operated by
online ad giant DoubleClick had been compromised by hackers. In
response to the Kitetoa report, DoubleClick representatives confirmed
that attackers had placed a back-door program on the company's server
at doubleclick.net, and had viewed files on another server at
abacusonline.doubleclick.net.

A year ago, Kitetoa reported that software maker Bull Groupe's Web
site had left exposed an internal sales and marketing database
containing confidential customer information.

This year, the Sadmind worm has vandalized more Web sites than any
human hacking group. According to statistics gathered by the
Safemode.org defacement archive, the worm has infected at least 874
sites since June. The second most prolific defacer is a crew known as
BHS, which has racked up 436 defacements since November of last year.

Once the Sadmind worm has penetrated a Sun machine by exploiting a
known vulnerability in Solaris, it scans the Internet for Windows NT
or Windows 2000 systems running IIS. When it finds a system vulnerable
to the Unicode exploit, the worm defaces the machine's home page.

Other prominent companies with servers recently infected by the worm
include Quote.com, Informix Corp. and Upside Media, according to
Safemode records.

Veridian Corporation is at: http://www.veridian.com .

The Kitetoa report on Veridian is at:
http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin7/veridia
n1.shtml .

The image of the Veridian defacement is at:
http://www.kitetoa.com/Images4/Veridian.com/veridian.gif .

Information on the Sadmind worm can be found here:
http://www.cert.org/advisories/CA-2001-11.html .



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.