"Hundreds or thousands" of New Zealand companies risk infection from a virus worm sweeping the world, says an Auckland self-confessed “white hat hacker”.
The worm is already here, with websites and mail servers being defaced, says Brett Moore of Software Creations. His company has tested the vulnerabilities of more than 100 New Zealand websites and found many at risk from the “sadmind/IIS worm”. Sadmind exploits two well-known vulnerabilities to compromise systems and deface web pages (see Cert Advisory). IDG.net.nz reported yesterday that "sadmind/IIS" had struck “thousands” of Solaris and IIS servers worldwide (see Worm hits thousands of Solaris and IIS servers).
In New Zealand, Moore says the mail server for the Royal Commission of Genetic Modification was hit (http://22.214.171.124/), along with others including a New Zealand ISP, and the website of British TV news station ITN. They were left with messages concerning the recent tension between the US and China.
In addition, Moore says, government agencies, trades union, ISPs, schools and others with an IP address of 210.55 have a "back door" vulnerability to the worm attack. Even if the worm has not defaced a company's website, or even if it has fixed its website and since applied the Microsoft patches, Moore says "the backdoor that it planted in the process in attempting to deface may still be there”.
Software Creations has released a free tool for New Zealand firms to check their site for this back door. It runs on Windows from 95 to 2000 and detects infections on Windows-based internet servers. This includes IIS4, IIS5, Exhange/Outlook webmail and personal web server.
“The worm uses a bug in Microsoft handling of URLs. A patch has been available for well over six months, but the worm is having great success," Moore says. The exploit used by the bug is the same that is currently used in about 70% of IIS web defacement. We expect a lot of IIS5 servers have been defaced by the recent printer bug found in that version of the software."