September 4, 2002 6:24 PM PDT
Server attacks stump Microsoft
In an advisory posted Aug. 30, Microsoft warned customers that several companies had recently observed an "increased level of hacking activity." Microsoft Product Support Services (PSS) told system administrators to be on the lookout for Trojan horses--programs that appear to be legitimate but aren't--and for several specific kinds of odd network behavior.
On Wednesday, Mark Miller, a security specialist for Microsoft PSS, said that the attacks seemed to be ongoing, but at a much reduced level.
"We saw a pretty sharp spike," he said, adding that "we definitely consider this to be hacker activity and not worm activity."
Microsoft has only been able to characterize the attacks by certain files that each compromised machine has in common and that compromised machines have all been running Windows 2000.
One file, "gg.bat," attempts to connect to other computers using various administrator accounts. If successful, the file will then copy other files over to the compromised system. This behavior is usually considered characteristic of a worm. But Miller stressed that because the file doesn't copy itself to the victim's hard drive, it shouldn't be considered a worm.
Another file, "seced.bat," changes security settings on the compromised system. This attack could make it easier for a vandal to later log on to the computer and use the system. A third file, "gates.txt," contains a list of numerical Internet addresses. Microsoft, however, is unsure whether they are addresses of compromised systems, computers to be targeted or some unrelated list.
While the company wouldn't say how many machines or customers had been victims of the attacks, Miller did say that "it has been a significant number."
With the rate of compromise apparently declining, however, Microsoft seems willing to wait before referring incidents to the Microsoft Security Response Center, the company's internal clearinghouse for information on flaws and bugs. Miller explained that the company has not been able to determine whether the attack uses some newly discovered flaw in its operating system or just finds success because a system's Windows 2000 system patches are out of date.
"We are still monitoring the situation, and we are looking into it," Miller said.