[LINK] Ah, Microsoft, they've done it again

From: Rick Welykochy (rick@praxis.com.au)
Date: Sat Jul 21 2001 - 18:06:25 EST

Next message: Mans Nilsson: "[LINK] Re: What would be best now?"
Previous message: Adam Todd: "Re: [LINK] What would be best now?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Well, perhaps Microsoft is culpable again. Whatever the cause and
whomever the perpetrator, a new worm has been circulating for a few
days now.

It hasn't brought down the 'Net or Windows PC's ... but it is affecting
IIS web servers world-wide, even MS's own upload server. As well, it
is wreaking havoc with routers receiving volumous amounts of web
queries from the worm's multitudinous instances all over the net, each
trying to crack specific USA government web server(s) at a preset
target date.

Apparently, that target date has been reached, the attack on the
USA servers was ineffective, but analysis show that the worm now
sleeps, awaiting its next target date.

This is yet another portent of doom as far as Microsoft computers are concerned.

-rickw

-------------------------------------------------------------------------------
-------------------------------------------------- Forwarded message ----------

Date: Thu, 19 Jul 2001 21:54:45 -0600 (MDT)
From: security curmudgeon <jericho@attrition.org>
To: defaced-commentary@attrition.org
Subject: [defaced-commentary] Another Microsoft Web sites defaced bringing
total to 16

Earlier today, two Microsoft Web sites fell victim to a new worm making
the rounds nicknamed the '.ida "Code Red" worm' because part of the worm
is designed to deface Web pages with the text "Hacked by Chinese" and also
because Code Red Mountain Dew was apparently the only thing that kept
employees from eEye Digital Security awake all last night to be able to
disassemble the worm in detail.

The worm propagates itself via Microsoft IIS Web servers through the .ida
buffer overflow attack published a few weeks ago. The worm then sets
itself up on the infected system and creates 99 other "threads" or
instances of the virus to spread the worm to other Web servers.

Full details of the worm can be found here:
http://www.eeye.com/html/Research/Advisories/AL20010717.html

This makes the 16th time a Microsoft Web site has been defaced including
the corporation's global sites in Brazil, Slovenia, New Zealand, Mexico,
UK, Saudi Arabia and South Africa as well as six servers from their
corporate headquarters.

The full list of past Microsoft targets have included:

msrconf.microsoft.com (a supposed retired MS server and the first recorded
defacement of a Microsoft server) on October 24, 1999
http://www.attrition.org/mirror/attrition/1999/10/24/msrconf.microsoft.com/CMT/

Microsoft Brazil by IZ corp defaced June 3, 2000
http://defaced.alldas.de/mirror/2000/06/03/www.microsoft.com.br/

The Microsoft Events Server by someone unknown on November 7, 2000
http://www.attrition.org/mirror/attrition/2000/11/07/events.microsoft.com

Microsoft Slovenia (defaced twice) the first time by Furia.BR on December
14, 2000 and the second time by BoLoDoRiO 3 days later
http://defaced.alldas.de/mirror/2000/12/14/www.microsoft.si/
http://www.attrition.org/mirror/attrition/2000/12/17/www.microsoft.si

Microsoft New Zealand was defaced by Prime Suspectz on January, 23rd of
this year:
http://defaced.alldas.de/mirror/2001/01/23/www.microsoft.co.nz/

Microsoft UK, Microsoft Saudi Arabia and Microsoft Mexico were all defaced
on May 3rd, 2001 by Prime Suspectz:

http://defaced.alldas.de/mirror/2001/05/03/www.microsoft.co.uk/
http://www.attrition.org/mirror/attrition/2001/05/03/www.microsoft.com.sa/
http://www.attrition.org/mirror/attrition/2001/05/03/www.microsoft.com.mx/

Microsoft's STREAMER server was defaced by Prime Suspectz on May 7th, 2001:
http://www.attrition.org/mirror/attrition/2001/05/07/streamer.microsoft.com/

Microsoft România was defaced by Pentaguard on May 17th, 2001:
http://defaced.alldas.de/mirror/2001/05/18/www.microsoft.ro/

The MSN Mobile "feeds" server was defaced by Prime Suspectz on June 21st, 2001:
http://defaced.alldas.de/mirror/2001/06/21/feeds.mobile.msn.com/

The Microsoft South Africa "interface" server was defaced by the group BlackSun:
http://defaced.alldas.de/mirror/2001/06/19/www.interface.microsoft.co.za/

Two Microsoft RTE servers were defaced by the group Prime Suspectz:
http://defaced.alldas.de/mirror/2001/06/21/redsand.rte.microsoft.com/
http://defaced.alldas.de/mirror/2001/06/21/arulk.rte.microsoft.com/

-
The information and commentary is Copyright 2001, by the individual author.
Permission is granted to quote, reprint or redistribute provided the text is not
altered, and the author and attrition.org is credited. The opinions expressed
in this mail are not necessarily the opinion of all Attrition staff members.

Commentary Archive: http://www.attrition.org/security/commentary/
The Attrition Mirror: http://www.attrition.org/mirror/attrition/
Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
Contacting Attrition Staff: staff@attrition.org

To subscribe to Defaced Commentary, send mail to majordomo@attrition.org
with "subscribe defaced-commentary" in the BODY of the mail (without
quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
the BODY of the mail.

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
Contacting Attrition Staff: staff@attrition.org

Next message: Mans Nilsson: "[LINK] Re: What would be best now?"
Previous message: Adam Todd: "Re: [LINK] What would be best now?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.1 : Tue Jul 31 2001 - 03:10:05 EST