In an advisory posted on 30 August, Microsoft warned customers that several companies had recently observed an "increased level of hacking activity." Microsoft Product Support Services (PSS) told system administrators to be on the lookout for Trojan horses--programs that appear to be legitimate but aren't--and for several specific kinds of odd network behavior.
On Wednesday, Mark Miller, security specialist for the Microsoft PSS, said that the attacks seemed to be ongoing, but at a much reduced level.
"We saw a pretty sharp spike," he said, adding that "we definitely consider this to be hacker activity and not worm activity."
Microsoft has only been able to characterise the attacks by certain files that each compromised machine has in common and that compromised machines have all been running Windows 2000.
One file, "gg.bat," attempts to connect to other computers using various administrator accounts. If successful, the file will then copy other files over to the compromised system. This behavior is usually considered characteristic of a worm--but Miller stressed that since the file doesn't copy itself to the victim's hard drive, it shouldn't be considered a worm.
Another file, "seced.bat," changes security settings on the compromised system. This attack could make it easier for a vandal to later log onto the computer and use the system. A third file, "gates.txt," contains a list of numerical Internet addresses. Microsoft, however, is unsure whether they are addresses of compromised systems, computers to be targeted, or some unrelated list.
While the company wouldn't say how many machines or customers had been victims of the attacks, Miller did say that "it has been a significant number."
With the rate of compromise apparently declining, however, Microsoft seems willing to wait before referring incidents to the Microsoft Security Response Center, the company's internal clearing house for information on flaws and bugs. Miller explained that the company has not been able to determine if the attack uses some new flaw in its operating system or just finds success because Windows 2000 system patches are out of date.
"We are still monitoring the situation and we are looking into it," said Miller.
See http://online.securityfocus.com/archive/75/278235/2002-06-21/2002-06-27/0 for more info on the Worm 1800.exe issue