2001-03-08 22:47:50

by Jeff V. Merkey

[permalink] [raw]
Subject: [Open Source W2K argument fallout][[email protected]: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites]

I am continually amazed at how secure an "open source" OS is in
comparison to W2K. Relative to the W2K open source arguments, one
good fallout would be that folks would be able to identify
holes like this one quickly.

Jeff

----- Forwarded message from The SANS Institute <[email protected]> -----

Return-Path: <[email protected]>
Received: from server1.SANS.ORG (server1.sans.org [167.216.133.33])
by vger.timpanogas.org (8.9.3/8.9.3) with ESMTP id QAA11014
for <[email protected]>; Thu, 8 Mar 2001 16:22:36 -0700
Received: by server1.SANS.ORG (rbkq) id QIH77838
for [email protected]; Thu, 8 Mar 2001 15:28:21 -0700 (MST)
Date: Thu, 8 Mar 2001 15:28:21 -0700 (MST)
Message-Id: <[email protected]>
From: The SANS Institute <[email protected]>
Subject: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites
Precedence: bulk
Errors-To: [email protected]
Sender: [email protected]
To: Jeff Merkey (SD393872) <[email protected]>
Status: RO
Content-Length: 9398
Lines: 221

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce
Sites

3:00 PM EST, Thursday, March 8, 2001

In the largest criminal Internet attack to date, a group of Eastern
European hackers has spent a year systematically exploiting known
Windows NT vulnerabilities to steal customer data. More than a million
credit cards have been taken and more than 40 sites have been
victimized.

The FBI and Secret Service are taking the unprecedented step of
releasing detailed forensic information from ongoing investigations
because of the importance of the attacks.

The information was released to the SANS community a short time before
it was made available to the general public so that you can be sure your
systems are safe.

Within a day or two, the Center for Internet Security will release a
small tool that you can use to check your systems for the
vulnerabilities and also to look for files the FBI has found present on
many compromised systems - indicating your system may have already been
compromised by the attacker group.

The Center's tools are normally available only to members, but because
of the importance of this problem, the Center agreed to make the new
tool, built for the Center by Steve Gibson of Gibson Research) available
to all who need it. Center members have already received an invitation
to the conference call this afternoon to get more data on the attack.
If your organization is not a member, we encourage you to join in this
important initiative to fight back against computer crime. See
http://www.cisecurity.org for a list of members and how to join.


Alan
Alan Paller
Director of Research
The SANS Institute


Here's the data available so far.

Over the past several months, the National Infrastructure Protection
Center (NIPC) has been coordinating investigations into a series of
organized hacker activities specifically targeting U.S. computer systems
associated with e-commerce or e- banking. Despite previous advisories,
many computer owners have not patched their systems, allowing these
kinds of attacks to continue, and prompting this updated release of
information.

More than 40 victims located in 20 states have been identified and
notified in ongoing investigations in 14 Federal Bureau of Investigation
Field Offices and 7 United States Secret Service Field Offices. These
investigations have been closely coordinated with foreign law
enforcement authorities, and the private sector. Specially trained
prosecutors in the Computer and Telecommunication Coordinator program
in U.S. Attorneys' Offices in a variety of districts have participated
in the investigation, with the assistance of attorneys in the Computer
Crime and Intellectual Property Section at the Department of Justice.

The investigations have disclosed several organized hacker groups from
Eastern Europe, specifically Russia and the Ukraine, that have
penetrated U.S. e-commerce computer systems by exploiting
vulnerabilities in unpatched Microsoft Windows NT operating systems.
These vulnerabilities were originally reported and addressed in
Microsoft Security Bulletins MS98-004 (re-released in MS99-025),
MS00-014, and MS00-008. As early as 1998, Microsoft discovered these
vulnerabilities and developed and publicized patches to fix them.
Computer users can download these patches from Microsoft for free.

Once the hackers gain access, they download proprietary information,
customer databases, and credit card information. The hackers
subsequently contact the victim company through facsimile, email, or
telephone. After notifying the company of the intrusion and theft of
information, the hackers make a veiled extortion threat by offering
Internet security services to patch the system against other hackers.
They tell the victim that without their services, they cannot guarantee
that other hackers will not access the network and post the credit card
information and details about the compromise on the Internet. If the
victim company is not cooperative in making payments or hiring the group
for their security services, the hackers' correspondence with the victim
company has become more threatening. Investigators also believe that
in some instances the credit card information is being sold to organized
crime groups. There has been evidence that the stolen information is
at risk whether or not the victim cooperates with the demands of the
intruders. To date, more than one million credit card numbers have been
stolen.

The NIPC has issued an updated Advisory 01-003 at http://www.nipc.gov regarding
these vulnerabilities being exploited. The update includes specific
file names that may indicate whether a system has been compromised. If
these files are located on your computer system, the NIPC Watch in
Washington D.C. should be contacted at (202) 323-3204/3205/3206.
Incidents may also be reported online at http://www.nipc.gov/incident/cirr.htm.
For detailed information on the vulnerabilities that are being
exploited, please refer to the NIPC Advisory 00-60, and NIPC Advisory
01- 003.


NIPC ADVISORY 01-003

This advisory is an update to the NIPC Advisory 00-060, "E- Commerce
Vulnerabilities", dated December 1, 2000. Since the advisory was
published, the FBI has continued to observe hacker activity targeting
victims associated with e-commerce or e- finance/banking businesses.
In many cases, the hacker activity had been ongoing for several months
before the victim became aware of the intrusion. The NIPC emphasizes
the recommendation that all computer network systems administrators
check relevant systems and consider applying the updated patches as
necessary, especially for systems related to e-commerce or e-
banking/financial businesses. The patches are available on Microsoft=s
web site, and users should refer to the URLs listed below.

The following vulnerabilities have been previously reported:

Unauthorized Access to IIS Servers through Open Database
Connectivity (ODBC) Data Access with Remote Data Service (RDS):
Systems Affected: Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
99-22

http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary: Allows unauthorized users to execute shell commands on the
IIS system as a privileged use; Allows unauthorized access to secured,
non-published files on the IIS system; On a multi-homed
Internet-connected IIS systems, using Microsoft Data Access Components
(MDAC), allows unauthorized users to tunnel Structured Query Language
(SQL) and other ODBC data requests through the public connection to a
private back-end network.

SQL Query Abuse Vulnerability
Affected Software Versions: Microsoft SQL Server Version 7.0 and
Microsoft Data Engine (MSDE) 1.0
Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes
20-05

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary: The vulnerability could allow the remote author of a malicious
SQL query to take unauthorized actions on a SQL Server or MSDE database.

Registry Permissions Vulnerability
Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0
Server
Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes
20-08 and 20-22


http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
http://www.nipc.gov/cybernotes/cybernotes.htm
Summary: Users can modify certain registry keys such that:
a malicious user could specify code to launch at
system crash
a malicious user could specify code to launch at
next login
an unprivileged user could disable security measures

Web Server File Request Parsing

While they have not been shown to be a vector for the current attacks,
Microsoft has advised us that the vulnerabilities addressed by Microsoft
bulletin MS00-086 are very serious, and we encourage web site operators
to consider applying the patch provided with this bulletin as well as
the three that are under active exploitation.

http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
http://www.nipc.gov/cybernotes/cybernotes.htm

Summary: The vulnerability could allow a malicious user to run
system commands on a web server.

New Information: In addition to the above exploits, several filenames
have been identified in connection with the intrusions, specific to
Microsoft Windows NT systems. The presence of any of these files on
your system should be reviewed carefully because they may indicate that
your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe

In addition, system administrators may want to check for the
unauthorized presence of any of the following executable files, which
are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe
pwdump.exe
serv.exe
smmsniff.exe

Recipients of this Advisory are encouraged to report computer crime to
the NIPC Watch at (202) 323-3204/3205/3206. Incidents may also be
reported online at http://www.nipc.gov/incident/cirr.htm.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE6p+mz+LUG5KFpTkYRApVrAKCd6rT++htahvzbxsIkbqMVa74fuACcDKaQ
wsjk3kVpcNQP2fPrMR9IQSw=
=WIaD
-----END PGP SIGNATURE-----

----- End forwarded message -----


2001-03-08 23:06:30

by Augustin Vidovic

[permalink] [raw]
Subject: Re: [Open Source W2K argument fallout][[email protected]: Large Criminal Hacker Attack on Windows NT E-Banking and E-Commerce Sites]

On Thu, Mar 08, 2001 at 04:40:44PM -0700, Jeff V. Merkey wrote:
> I am continually amazed at how secure an "open source" OS is in
> comparison to W2K. Relative to the W2K open source arguments, one
> good fallout would be that folks would be able to identify
> holes like this one quickly.

Hmmm. The article states that the exploited bugs had been reported
by M$ before.

More interesting is, that despite all those stolen credit car numbers
cases, a more secure paiyment system (at least challenge-based) has still
not been adopted.