Worm worries grow with release of Windows hacks

Program files designed to exploit two major vulnerabilities in Microsoft software are being used to attack computers, but security experts worry that an MSBlast-type worm could be ahead.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Program files designed to exploit two major vulnerabilities in Microsoft software are being used to attack computers, but security experts worry that worse--an MSBlast-type worm--could be ahead.

The warning comes after several security programmers released source code that makes it easy for an attacker to take control of any Windows computer that has not applied a patch released by Microsoft.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The software flaws targeted by the exploit code are two critical vulnerabilities that the software giant warned about on April 13.

"From January to March (of this year), we mainly saw mass-mailing worms," said Vincent Weafer, senior director for security company Symantec's security response center. "Between now and the end of summer, it's likely we'll see...a Blaster-type event."

Currently, Symantec and the Internet Storm Center, a site that monitors network threats, have both detected automated attacks on computers that have not had the recent security holes patched. An exploit that uses a vulnerability in the private communications transport (PCT) feature of Windows Web servers, known as Microsoft Internet Information Servers (IIS), has compromised systems at many companies, Ullrich said.

While some news reports have theorized that a new worm is on the loose, the data traffic caused by the attacks has not risen to the level typically seen with worms, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

"It's nothing I would call a worm yet, but companies are being hit with the code," he said. "It is not as prevalent as I would have thought by now."

The Internet Storm Center, which is operated by the SANS Institute, has also found evidence of code that takes advantage of another, more widespread vulnerability. That flaw, in a Windows security component known as the Local Security Authority Subsystem Service (LSASS), has been added to an automated attack agent, or bot, known as AgoBot. Such programs run invisibly on a compromised computer, giving an intruder full control of the system and the ability to use the PC in attacks.

Symantec confirmed that it has also captured a version of the AgoBot program, known as PhatBot, that appears to have the ability to attack systems through the LSASS vulnerability. While that is a worry, the greater threat would be a fully automated worm, Weafer said. He added that, in scope and ease of attack, the LSASS exploit is similar to the one that allowed the MSBlast worm to spread so widely.

In fact, the anticipation of a major Internet attack has risen to a level comparable to that prior to the MSBlast worm that launched last August and ended up infecting more than 8 million computers by the end of March. Microsoft updated on Wednesday the number of computers cleaned of MSBlast to 9.5 million.

The two flaws threaten different pieces of the computing infrastructure. The PCT vulnerability puts Web servers that use Secure Sockets Layer encryption features at risk. Such servers are common in e-commerce applications, allowing intruders to target high-value computers with the vulnerability. The LSASS flaw affects almost every Windows computer that has not yet been patched, leaving the door open to a worm attack.

"They are very different in terms of the types of machines that the exploit would target," said Stephen Toulouse, security program manager for Microsoft's Security Research Center.

Although a worm has not yet been created, the danger from would-be intruders using the most recent exploit programs is still real, the Internet Storm Center's Ullrich said. The center, which tracks attacks and worms by analyzing firewall records, indicated that would-be intruders are scanning companies for vulnerable systems, and when they find such systems, they attack.

"In a couple minutes, we've seen whole IIS server farms taken out," he said.

The situation has Microsoft reiterating its plea for patching. "We urge all our customers to apply the updates as soon as possible," said the software giant's Toulouse.

More information on the flaws and the patches can be found on Microsoft's security site.