Alert: Windows May Deny Users

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/technology/0,1282,54942,00.html

By Brian McWilliams 
2:30 p.m. Sep. 4, 2002 PDT 

Microsoft has issued an unusual warning to Windows users: watch out 
for a hack attack that could lock you out of your computer and turn it 
into a launching pad for other attacks. 

But some security experts said Microsoft's breathless warning provided 
administrators with little help in sizing up -- or even fending off -- 
the potential attack. 

According to a "hacking alert" posted [1] on its website, Microsoft's
Product Support Services (PSS) Security Team has detected a
"significant spike" in Windows systems compromised by a mysterious
attack.

Once hit, systems may not allow legitimate users to log on to the 
network, due to changes made to the systems' security settings, 
Microsoft said. 

Marty Lindner of the Computer Emergency Response Team said the federal 
security clearinghouse had no additional information about the attacks 
mentioned in Microsoft's bulletin, which he termed "very vague." 

According to Microsoft, several rogue files may be present on 
compromised systems, including seced.bat, which changes the security 
policies in Windows 2000 and Windows XP. If the affected systems are 
used as domain controllers, users may be locked out of the network. 

Edward Alfert, an information technology manager in Florida, said 
several Windows 2000 systems at a customer's site were recently hit by 
the attackers and configured to run seced.bat at startup. 

Mark Miller, a security specialist for Microsoft PSS, said the company 
hasn't determined how attackers were able to place the malicious files 
on affected systems. He added that compromised systems do not appear 
to be victims of a self-propagating Internet worm. 

In its warning, Microsoft noted that antivirus software may not detect 
some of the attack files, specifically "back door" programs that 
provide an attacker with remote access to an infected system using 
Internet relay chat (IRC) networks. 

Frank Deluca, an information systems manager with a financial services 
firm in Ohio, discovered several Windows systems apparently infected 
with the malicious code last week. Deluca said the machines all had a 
program named taskmngr.exe running at startup. 

The program, not to be confused with the legitimate Windows task 
manager utility, taskmgr.exe, attempted to open a connection to an 
external site using port 6667, which is normally used by IRC servers, 
Deluca reported. 

Microsoft's Miller said keystroke loggers have also been found on 
infected systems. 

An analysis of taskmngr.exe by malicious code experts at TruSecure 
Research Group showed it contained a modified version of the popular 
mIRC chat client. When launched with an initialization file created by 
the hackers, the program connects the infected computer to an IRC 
server located at wO0t.nofw.org. 

Microsoft's bulletin advised affected Windows users to follow CERT's
recovery advice [2], which includes reinstalling the system's
operating system.

Microsoft's PSS Security Team has issued a half-dozen virus warnings 
this year. Although Microsoft has rededicated itself to improving the 
security of its products, some security experts found the company's 
latest hack alert puzzling. 

"It's easily one of the most unprofessional pieces of crap I've ever 
read. Vague, indirect, doesn't say anything useful at all," said 
Harlan Carvey, a security engineer with a financial services firm. 

[1] http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
[2] http://www.cert.org/tech_tips/root_compromise.html



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.