Following the same pattern of predictions as the one that led to last month’s devastating Blaster worm, security analysts have begun to focus on the new crop of Microsoft Windows vulnerabilities and the attack tools created to take advantage of them — all of which could indicate that a potential new family of computer worms is in the works.
One week after Microsoft warned of new vulnerabilities in Windows’ Remote Procedure Call (RPC) protocol — the same software that opened nearly half a million machines to Blaster’s attack — attack code already is being circulated on the Internet, according to security intelligence company iDefense.
Experts, who said a worm that uses the attack code is highly likely to emerge, indicated that last month’s virus outbreaks now have corporate and home users on alert, which could make widespread system-patching more likely to occur. However, security experts again expressed concern over the shortened time between a vulnerability’s disclosure and its exploit.
Reporting that the attack code coming from China is now available on the Internet, iDefense said the new code is limited to Windows 2000 machines even though the latest RPC vulnerabilities affect all recent versions of Windows.
Ken Dunham, iDefense malicious code intelligence manager who said computers are already under attack from the tool, also told TechNewsWorld about another piece of exploit software that would work for Windows XP.
“What we’re going to see is all of the operating systems that are exploitable by this attack are going to come under fire,” Dunham said, adding that, like last time, attackers are deploying stealth tactics — primarily trojan programs that can silently take control of vulnerable machines and force them into denial-of-service attacks.
On the basis of the wide distribution of the vulnerability and the release of similar exploit code in the case of the previous RPC holes, security experts predicted the Blaster worm weeks before it made its way into thousands of machines. Those same predictions also are coming with the new vulnerabilities disclosed by Microsoft on September 10th.
“We see the same exploit activity as we did with the first RPC vulnerability,” Dunham said. “It’s pretty much identical, except we see more people downloading a patch from Microsoft.”
Still, given that there are hundreds of thousands of potential targets, Dunham said a new worm could spread rapidly among many of them.
Users On Guard
Analysts said the threat of a new worm is somewhat mitigated by heightened security awareness following last month’s outbreaks, which included Blaster, Nachi and SoBig.F.
“A lot of the success [of a virus or worm] depends at least somewhat on people letting down their guard, and right now I would think people have their guard up,” Forrester industry analyst Jan Sundgren told TechNewsWorld.
Dunham added that as time goes on and more systems are patched, the potential for impact from attacks will be reduced.
Cut, Paste and Infect
However, Dunham said that a worm similar to Blaster is likely to emerge not only because of the vulnerabilities recently disclosed by Microsoft, but also because the blueprints for attack are so readily available.
“The probability of a worm in this case is higher,” he said. “We already have worm code available to a large number of people underground.”
A worm would be easy, Dunham added. “You’ve got Blaster source code available and the source code of the exploit to this new one,” he said. “It’s a cut-and-paste procedure to put together a worm that would be effective right away.”
Forrester’s Sundgren expressed concern over the narrowing time window between disclosure of a vulnerability, availability of a patch and the eventual exploit, saying it makes the often-difficult task of patching even more urgent.
Dunham said that while viruses and worms of the past could be classified as file- or drive-based infections, the latest threats exploit vulnerabilities like never before, showing that significant numbers of computers go unpatched.
“It used to be vulnerabilities and viruses didn’t go together too much,” he said. “Now, everything’s a blended threat to some degree. We are just going to see an onslaught of vulnerability-based attacks.”