The notion that Windows users might be the targets of hacker attacks is nothing new, given the platform's vast market domination and the sheer number of Windows-based desktops and servers. But a mysterious new type of attack has security watchdogs and Microsoft itself baffled this week; the company has issued a security warning that appears to offer little help in fending off the attack. As is often the case, this latest problem involves a Denial of Service (DoS) attack but is interesting because it also lets attackers insert code in PCs; the attackers can later use this code to compromise security. As a result, victims often can't log on to their own systems.
According to Microsoft's security bulletin about this problem (see the first URL below), the attack injects the following files on compromised systems: seced.bat, which can change the system's security policies, and cg.bat, which can attempt to connect as an administrator to other servers on the network. "As of August 2002, the PSS Security Team has not been able to determine the technique that is being used to gain access to the computer," the company writes in its bulletin. "However, because of the significant spike in activity, the PSS Security Team has determined that these techniques are similar and/or automated in some cases. Fully patched computers that follow security best practices provide the best protection from hacking or other malicious software."
To recover from such an attack, Microsoft recommends that users follow the root-compromise recovery instructions from the CERT Coordination Center (see the second URL below). The procedure involves a complete reinstallation of the OS. I'll provide more information about this curious new attack as it becomes available.