Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: InfoSec News (isn_at_c4i.org)
Date: Thu Sep 05 2002 - 00:41:04 CDT
By Brian McWilliams
2:30 p.m. Sep. 4, 2002 PDT
Microsoft has issued an unusual warning to Windows users: watch out
for a hack attack that could lock you out of your computer and turn it
into a launching pad for other attacks.
But some security experts said Microsoft's breathless warning provided
administrators with little help in sizing up -- or even fending off --
the potential attack.
According to a "hacking alert" posted  on its website, Microsoft's
Product Support Services (PSS) Security Team has detected a
"significant spike" in Windows systems compromised by a mysterious
Once hit, systems may not allow legitimate users to log on to the
network, due to changes made to the systems' security settings,
Marty Lindner of the Computer Emergency Response Team said the federal
security clearinghouse had no additional information about the attacks
mentioned in Microsoft's bulletin, which he termed "very vague."
According to Microsoft, several rogue files may be present on
compromised systems, including seced.bat, which changes the security
policies in Windows 2000 and Windows XP. If the affected systems are
used as domain controllers, users may be locked out of the network.
Edward Alfert, an information technology manager in Florida, said
several Windows 2000 systems at a customer's site were recently hit by
the attackers and configured to run seced.bat at startup.
Mark Miller, a security specialist for Microsoft PSS, said the company
hasn't determined how attackers were able to place the malicious files
on affected systems. He added that compromised systems do not appear
to be victims of a self-propagating Internet worm.
In its warning, Microsoft noted that antivirus software may not detect
some of the attack files, specifically "back door" programs that
provide an attacker with remote access to an infected system using
Internet relay chat (IRC) networks.
Frank Deluca, an information systems manager with a financial services
firm in Ohio, discovered several Windows systems apparently infected
with the malicious code last week. Deluca said the machines all had a
program named taskmngr.exe running at startup.
The program, not to be confused with the legitimate Windows task
manager utility, taskmgr.exe, attempted to open a connection to an
external site using port 6667, which is normally used by IRC servers,
Microsoft's Miller said keystroke loggers have also been found on
An analysis of taskmngr.exe by malicious code experts at TruSecure
Research Group showed it contained a modified version of the popular
mIRC chat client. When launched with an initialization file created by
the hackers, the program connects the infected computer to an IRC
server located at wO0t.nofw.org.
Microsoft's bulletin advised affected Windows users to follow CERT's
recovery advice , which includes reinstalling the system's
Microsoft's PSS Security Team has issued a half-dozen virus warnings
this year. Although Microsoft has rededicated itself to improving the
security of its products, some security experts found the company's
latest hack alert puzzling.
"It's easily one of the most unprofessional pieces of crap I've ever
read. Vague, indirect, doesn't say anything useful at all," said
Harlan Carvey, a security engineer with a financial services firm.
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoattrition.org with 'unsubscribe isn'
in the BODY of the mail.