A March 10 computer attack on a server run by the U.S. Army using the recently disclosed Microsoft Internet Information Server (IIS) vulnerability resulted in the complete compromise of that machine and may herald the advent of a new worm in the very near future, according to security company TruSecure.A March 10 computer attack on a server run by the U.S. Army using the recently disclosed Microsoft Internet Information Server (IIS) vulnerability resulted in the complete compromise of that machine and may herald the advent of a new worm in the very near future, according to security company TruSecure.The incident was an instance of a rare “zero day” attack, in which an as-yet unreported vulnerability is used to compromise a remote system, TruSecure said.The targeted server was a publicly addressable IIS server managed by the Army, but was not part of the Army’s Web site infrastructure nor was the server performing any important functions or storing sensitive information, according to Cooper. “It was a totally useless Web server doing nothing whatsoever,” Cooper said.The Army did not respond to requests for comment. The Herndon, Va., company learned of the attack on March 11 from confidential sources within the Army and contacted Microsoft, Cooper said.Microsoft released a critical patch for the buffer overflow vulnerability on Monday, warning that it was already aware of exploits using the vulnerability. The company did not provide details on those exploits, however.The flaw exists in a Windows 2000 component that is used to handle the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol.WebDAV is a set of extensions to HTTP that allows users to edit and manage files on remote Web servers. The protocol is designed to create interoperable, collaborative applications that facilitate geographically dispersed “virtual” software development teams.The March 10 attack was directed specifically at the Army and was not the result of a broader or indiscriminate attack, according to Russ Cooper, Surgeon General of TruSecure.In that attack, a specially formatted URL was used to generate a buffer overflow. After the machine was compromised, it began collecting information on the network that machine was connected to, a process known as “network mapping,” according to Cooper. “It was delivered the same way as Code Red,” Cooper said.However, unlike the Code Red worm, which hit computers worldwide in 2001, the attack on the Army server did not attempt to replicate itself, according to Cooper.Information gained from the network mapping was sent back to the attacker using port 3389, which is used by Microsoft Terminal Services.It is not known what information was sent from the machine. However, the IP addresses of other machines on the network and information on what services were running would all be valuable to a malicious hacker, according to Cooper. Because the targeted server was a low-value asset, there were initially few warnings that a compromise had taken place.Army IT personnel only became aware of the problem after noticing the increased network scanning activity emanating from the box, Cooper said.The compromised machine also displayed a message saying “Welcome to the Unicorn Beachhead,” according to Cooper.Army personnel initially rebuilt the compromised server, only to have it hacked again almost immediately.“They didn’t know that it was a new vulnerability. They just knew that (IIS) was patched and the attack was still working,” Cooper said.Army personnel registered the problem with Microsoft using a form on Microsoft’s Web page, according to Cooper.Microsoft was not immediately available for comment.After learning of the attack on March 11, however, TruSecure contacted Microsoft about the problem directly. The company appeared to be unaware of the existence of the new vulnerability at that time, Cooper said.“None of the people I talked to knew, and they should have known,” Cooper said.Within hours, however, the company appeared to be in a high state of alert about the problem.“Two hours later, Microsoft said ‘We’re all over this,'” Cooper said.Because a highly developed attack using the vulnerability already exists, TruSecure is predicting that a worm leveraging the new IIS security hole could appear in as little as a week.Administrators running vulnerable versions of IIS should patch them immediately or disable WebDAV, Cooper said. Related content news Cisco CCNA and AWS cloud networking rank among highest paying IT certifications Cloud expertise and security know-how remain critical in building today’s networks, and these skills pay top dollar, according to Skillsoft’s annual ranking of the most valuable IT certifications. Demand for talent continues to outweigh s By Denise Dubie Nov 30, 2023 7 mins Certifications Certifications Certifications news Mainframe modernization gets a boost from Kyndryl, AWS collaboration Kyndryl and AWS have expanded their partnership to help enterprise customers simplify and accelerate their mainframe modernization initiatives. By Michael Cooney Nov 30, 2023 4 mins Mainframes Cloud Computing Data Center news AWS and Nvidia partner on Project Ceiba, a GPU-powered AI supercomputer The companies are extending their AI partnership, and one key initiative is a supercomputer that will be integrated with AWS services and used by Nvidia’s own R&D teams. By Andy Patrizio Nov 30, 2023 3 mins CPUs and Processors Generative AI Supercomputers news VMware stung by defections and layoffs after Broadcom close Layoffs and executive departures are expected after an acquisition, but there's also concern about VMware customer retention. By Andy Patrizio Nov 30, 2023 3 mins Virtualization Data Center Industry Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe