Zero Day Attack Targets IIS Servers

Russ Cooper, surgeon general at security firm TruSecure, said attackers exploited the vulnerability to compromise a U.S. Army site. He called the situation a "zero day" attack because there was no time between the discovery of the vulnerability and the exploit of it.

"Zero days are extremely rare," he said.

The flaw is a buffer overflow vulnerability in the Windows 2000 WebDAV (Web Distributed Authoring and Versioning) component used by IIS Web server software, security experts said. WebDAV allows for remote editing of Web content.

An attacker can send a specially formed HTTP request to a system running IIS that can cause the server to fail or allow the attacker to take control of it, according to a bulletin issued by Microsoft. The vulnerability only affects systems running IIS 5.0 on Windows 2000.

Microsoft issued a patch for the flaw and a workaround. Information is available in Microsoft Knowledge Base Article 815021.

Cooper said TruSecure's intelligence gathering department learned last week that a U.S. Army site had been compromised and left with the message, "Welcome to Unicorn Beachhead."

Unicorn was the code name for Jet 3.0, a database access tool, he said. The word could refer to a hacker group, but he hasn't heard of one called Unicorn, he said.

Cooper urged administrators to disable WebDAV. TruSecure, based in Herndon, Va., suspects a computer worm that exploits the flaw will be released in seven to 10 days, he said.