Security companies urge clients to patch their Windows systems, as concerns heighten that an MSBlast-like worm will be released soon--perhaps even as early as this weekend, according to one firm.
The exploit code has been integrated into remote attack software known as bot software, a move widely considered to be the penultimate stage in a code's engineered evolution from simple script to full-blown worm.
As previously reported, the worries are driven by the release of several effective programs for exploiting a widespread vulnerability in a security function of Windows, known as the Local Security Authority Subsystem Service, or LSASS. The programs, known as exploit code, have also been integrated into remote attack software known as bot software, a move widely considered to be the penultimate stage in a code's engineered evolution from simple script to full-blown worm.
On Friday, network protection company Lurhq released an advisory to its clients, saying there was a "high probability that a worm may be released in the next 24 to 48 hours."
Security company Symantec has also warned customers that attacks that exploit the LSASS vulnerability are climbing. On Thursday, the company informed clients that two of its "honeypot" servers--computers that aren't used for business but to attract malicious programs and detect new threats--had been compromised by bot software within minutes of each other.
Bot software has already compromised a large number of computers, surreptitiously turning those systems over to the control of the attacker and making them the attacker's "bots." Because of the scope of the attacks, Huger said that companies should not look at worms as the greatest threats.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"I would say the bot networks are as dangerous or more dangerous than worms," he said. "We are telling our clients not to defend against an expected worm but to patch." That way, they are protected against both dangers, he said.
Microsoft has confirmed the reports of code designed to exploit LSASS and requested that all clients update their software. The patch will also protect against another issue that affects the security features of Microsoft's Web server software.
Though many security companies have warned customers of the potential of an LSASS-related worm, the Lurhq release is perhaps the most forceful advisory to date.
Symantec's Huger said he thought a worm would likely be written, but he didn't predict when it might appear. Craig Schmugar, a senior antivirus researcher with security company Network Associates, said that though the Lurhq release involves a likely scenario, the company may have turned the volume up a bit too high.
Get the patch
Read Microsoft advisory
MS04-011 and apply
"I guess they are trying to stress the criticality of the situation," he said.
Joe Stewart, senior security researcher with Lurhq, said part of the impetus for the advisory is the history of the last few major worms. Both the Witty worm and the Slammer worm were released on a Friday. The MSBlast worm, however, was likely released on a Sunday.
"If there is ever a time that they like to release a worm, it's Friday night after every admin has gone home," Stewart said. He added that the company wanted "to give our customers a greater sense of urgency to patch" their systems.