Computer attackers are among those discussing and dissecting exploit code for a recently disclosed, serious security gap in all newer versions of Microsoft Windows operating systems, following a pattern now familiar to victims of the SQL Slammer, Blaster, Nimda or Code Red viruses.
And while past experience — and the resulting preparedness — might mitigate the effects of attacks, analysts and security experts are concerned that back-door Trojans and worms based on the security hole could begin to emerge with greater frequency. Microsoft has made a patch available for the Abstract Syntax Notation (ASN.1) vulnerability disclosed last week, but the vulnerability still has the potential to disrupt millions of Internet users, including non-Windows ones.
Ken Dunham, iDefense director of malicious code, told TechNewsWorld that the ASN vulnerability potentially could be the most widely exploited security hole of all time, saying the widespread distribution of exploit code, while not unexpected, marks another tell-tale indicator of pending trouble.
“The widespread distribution of this new exploit code has significantly increased the threat level for ASN.1 possible attacks,” Dunham said. “It is far more likely that we will soon see hacking, Trojans and worms emerge against this vulnerability now that exploit code is widely available.”
In addition, Dunham indicated that as with past Windows-based attacks, many other Internet users could be affected by Internet assaults based on the vulnerability. “There are literally millions of computers vulnerable to [ASN.1] exploitation,” he said. “A worm could emerge that could cause mass disruption.”
Waiting on Worm
The conditions required for a widely spreading computer worm are falling into place and following a pattern similar to the vulnerability, exploit and worm phases in a Remote Procedure Call (RPC) vulnerability that was the basis for the MS Blaster worm last August.
Gartner research vice president Richard Stiennon, who correctly forecast the Blaster worm after disclosure of the RPC vulnerability, told TechNewsWorld that it is almost certain a worm will exploit the ASN hole, likely within the next two to three weeks.
Stiennon also said that because ASN — a basic protocol for data communication across various platforms — is widely used in servers, the worm could spread among machines used mostly by larger companies, much like the Nimda and Code Red worms.
Blueprint for Bad
Dunham said the exploit code, which compiles rather easily on both Windows and Unix computers, is fully functional and is now widespread on the Internet via discussion groups and Web sites.
“The threat index for ASN.1 attacks has just gone up significantly,” he said. “This new exploit code serves as a template for attackers who want to gain remote access to vulnerable computers, infect them with Trojans or create a bot or worm.”
Dunham said the exploit code, which causes the Local Security Authority Subsystem executable (LSASS.exe) to crash, can be sent via Server Message Block (SMB) to computers listening on port 445 or via NetBIOS to computers listening on port 139. He advised blocking untrusted access to affected ports and patching with the available update from Microsoft.
Vulnerable Patching Period
Stiennon said that although past worm outbreaks have forced companies to fix firewalls and properly block attacks via the affected ports, the sheer number of machines using ASN makes a widespread outbreak likely.
Most large companies have already started patching for the ASN.1 problem but likely have not completed the process, according to Dunham.
He said it will take at least five to seven days for large companies to patch computers completely, not including time for a comprehensive audit.
“As seen in the Slammer outbreak of 2003, the embedded technology may prove to be difficult to audit and fully patch,” Dunham said. “Even if an organization believes their computers are fully patched, they may find out otherwise if an attack is launched against the ASN.1 vulnerability.”