In an enormous criminal undertaking, a group of Eastern European hackers has spent a year exploiting known Windows NT vulnerabilities to steal customer data. More than a million credit cards have been taken and more than 40 sites have been victimized. The FBI has learned that the hackers have specifically targeted U.S. computer systems associated with e-commerce or e-banking.
More than 40 victims located in 20 states have been identified and notified in ongoing investigations. Once the hackers gain access, they download proprietary information, customer databases, and credit card information. The hackers subsequently contact the victim company through facsimile, email, or telephone. After notifying the company of the intrusion and theft of information, the hackers make a veiled extortion threat by offering Internet security services to patch the system against other hackers.
The National Infrastructure Protection Center (NIPC) has issued an updated Advisory 01-003 at www.nipc.gov regarding these vulnerabilities being exploited.
The following vulnerabilities have been previously reported:
Unauthorized Access to IIS Servers through Open Database Connectivity (ODBC) Data Access with Remote Data Service (RDS):
Systems Affected: Windows NT running IIS with RDS enabled.
Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes 99-22
SQL Query Abuse Vulnerability:
Affected Software Versions: Microsoft SQL Server Version 7.0 and Microsoft Data Engine (MSDE) 1.0
Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes 20-05
Registry Permissions Vulnerability:
Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0 Server
Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes 20-08 and 20-22
In addition to the above exploits, several filenames have been identified in connection with the intrusions, specific to Microsoft Windows NT systems. The presence of any of these files on your system should be reviewed carefully because they may indicate that your system has been compromised:
ntalert.exe
sysloged.exe
tapi.exe
20.exe
21.exe
25.exe
80.exe
139.exe
1433.exe
1520.exe
26405.exe
i.exe
In addition, system administrators may want to check for the unauthorized presence of any of the following executable files, which are often used as hacking tools:
lomscan.exe
mslom.exe
lsaprivs.exe
pwdump.exe
serv.exe
smmsniff.exe
Recipients of this Advisory are encouraged to report computer crime to the NIPC Watch and Warning Unit at (202) 323-3204/3205/3206. Incidents may also be reported online at www.nipc.gov/incident/cirr.htm.
Microsoft has patches available for all of these vulnerabilities.
