News Stay informed about the latest enterprise technology news and product updates.

Experts: IIS attack overblown, but still worrisome

Experts believe the scope of last week's Internet assault was overblown. But some worry it was merely a test run for a more destructive attack.

As an attack on Microsoft's IIS 5.0 and Internet Explorer unfolded last week, the information security community feared it was seeing a far-reaching, damaging Internet assault. Experts now believe its scope was overblown, but some worry it was merely a test run for a more destructive attack.

Scott Blake, vice president of information security at BindView Corp. of Houston, is among those who believe it was less widespread. "Big sites were hit and there are now more backdoor PCs out there," he said. "But there are always backdoor PCs out there ready to be exploited. If anything, this was a dud. It didn't take the danger up a peg. It just pointed out more clearly the peg that's already there; that this has become a valuable tool for organized crime. Scam artists used to abuse phone lines to steal information. Now it's the Internet."

Ken Dunham, director of malicious code research at iDefense of Reston, Va., believes the implications of the attack are "huge" because it shows the Russian-based HangUP group, believed responsible for last week's exploit and the recent rash of Korgo worms, "has a new trick in their bag to attack IE users at will."

He said HangUP has stolen hundreds of megabytes of financial data to sell on the black market. Last week's attack, he added, was designed to plant keystroke loggers and Trojans on breached machines to steal more financial information like credit card numbers. He's convinced the group is just getting started.

"They got tons of data from Korgo, and tons more from this attack," Dunham said. "These are very sophisticated people and they're going to exploit this trick for all it's worth. Our concern is that they may have an automated exploit to hack servers. That doesn't seem to be the case with this attack, but what about the future?"

Microsoft has concluded the assault was not that of a worm or virus, but a targeted manual attack by individuals or groups towards a specific server. It exploited security holes in IIS 5.0 and IE, using compromised sites to append JavaScript to the bottom of Web pages. When executed, the JavaScript would access a file hosted on another server that could contain malicious code and infect the end user's system.

Some IT practitioners said they've seen no evidence they were affected.

"Most of my company's clients are small businesses, 10 servers at the high end, and this particular attack had little impact," said Bradley Dinerman, technical operations manager for Newton, Mass.-based MIS Alliance Corp., which provides companies with IT management services. "Our servers are well-maintained and patched and always have the latest virus definitions, so they were not at risk."

Jason Beta, an IT security contractor with the City of Jacksonville in Florida, also saw no evidence the attack affected his systems. That doesn't mean he isn't concerned.

"We have 4,000 users, many of them not computer savvy," Beta said. "People who work in the animal control department, for example, could get infected with this and not even know it. We worry, but all you can do is manage your tools, time and priorities as best you can."

The attack has renewed debate that IE is so flawed that it should be ditched for more secure browsers. But not all share that view.

"A lot of the ranting against Microsoft is unfair," Beta said. "People forget that security has only become a bigger focus in the last two years. People code software. People are not perfect and make mistakes. More people use IE, so it's a bigger target. You can't write perfect code, but I think they do their best."

Dinerman said calls for alternative browser use aren't without merit. But one point is missing from the argument.

"We're still living in a Microsoft world," Dinerman said in an e-mail interview. "A vast majority of Web sites were designed and developed around IE." Although browsers like Netscape Navigator are easily downloadable, he said the fact is that many users still prefer the ease, familiarity and availability of IE.

Blake agreed. "Whatever the dominant program is, it will be the target," he said. "If everyone switches to Netscape, the bad guys will write code for Netscape."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.