New coded exploits that take advantage of a widespread Microsoft Windows vulnerability have been posted online. By most reports, malicious scans to expose vulnerable systems are running rampant a week after government warnings regarding the flaw.
Security experts said the scans for the vulnerability — which involves a flaw in the Remote Procedure Call (RPC) protocol that could allow malicious users to execute code remotely — are continuing amid actual attacks.
Not only does the pattern of vulnerability, exploit, attack seem to be quickening, but the typical evolution of the exploits is resulting in increasingly harmful payloads, which could lead to destruction, modification or theft of data, experts said.
“We’re going to have competing exploits published with more interesting payloads,” Gartner vice president of research Richard Stiennon told TechNewsWorld, referring to backdoor trojan add-ons, which quietly allow remote control of a machine. “The one we won’t get a chance to examine is going to be the one that’s the worm. It’s got such a potential for damage.”
Ever since Microsoft disclosed the RPC vulnerability on July 16th, security experts and government officials have warned of a looming attack or worm that could take advantage of it. The critical software hole affects all of Microsoft’s recent operating systems, including Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003.
Stiennon said the number of scans for systems that have not yet patched the RPC vulnerability’s port 135 is rising dramatically as would-be attackers check for machines that are open to attack. He reported 3,500 source addresses scanning for the vulnerability — more than double the number of scans in early July, which averaged 900 source addresses for the month.
Toolkits for Trouble
Dan Ingevaldson, engineering manager for Internet Security Systems’ X-Force, said automated scanning tools — sometimes called “root kits” — are contributing to the scanning increase and adding backdoor trojans designed to control computers in the background.
Ingevaldson told TechNewsWorld that there have been reports of scans and attacks affecting academic and university networks, which are particularly vulnerable because of their openness and large numbers of computers and users.
Internet carriers and service providers also are being targeted because, in serving their customers, they are not blocking or filtering traffic, according to Ingevaldson. A malicious user who penetrates an ISP network server conceivably could have access to many hundreds of potentially vulnerable PCs.
Worm on the Way
Forrester research director Michael Rasmussen said the high activity surrounding the Windows vulnerability indicates a worm is soon to come.
“I definitely think that we’re very close to seeing a worm,” he told TechNewsWorld. “I hate to raise a red flag and then have nothing happen, but the truth is, there’s a legitimate likelihood we’ll see an attempt through that exploit.”
Rasmussen said a worm based on the RPC vulnerability could be released simply to spread itself or might be used in a targeted attack to destroy or steal information using a malicious payload.
Stiennon said that with millions of machines at risk, installation of the patch provided by Microsoft often is too time-consuming — especially in large corporations — to roll out quickly enough to stop the attacks.
“There just is not time to patch all of the machines in the universe. That’s a very, very frustrating piece of advice to give somebody,” Stiennon said, referring to the difficulty of patching hundreds or thousands of servers.
However, security experts did suggest alternative ways of covering the vulnerability, such as using firewalls and filtering or blocking port 135.
Vital Part Vulnerable
Experts said the RPC vulnerability is particularly difficult to deal with because the remote-control feature is such an important part of the Windows operating system.
“It would be great if we could say we don’t need RPC, but we do,” Stiennon said. “Microsoft uses it for a lot, including for active directory authentication.”
Ingevaldson said the RPC protocol is important, for example, for Outlook e-mail to communicate with Exchange servers.
“It’s woven very closely throughout the Windows operating system,” he said.