[ISN] Hacker code could unleash Windows worm

From: InfoSec News (isnat_private)
Date: Mon Jul 28 2003 - 03:36:26 PDT

  • Next message: InfoSec News: "[ISN] Linux Advisory Watch - July 25th 2003"

    By Robert Lemos 
    Staff Writer, CNET News.com
    July 25, 2003
    A hacker group released code designed to exploit a widespread Windows
    flaw, paving the way for a major worm attack as soon as this weekend,
    security researchers warned.
    The warning came Friday, after hackers from the Chinese X Focus
    security group forwarded source code to several public security lists.  
    The code is for a program designed to allow an intruder to enter
    Windows computers.
    The X Focus program takes advantage of a hole in the Microsoft
    operating system that lets attackers break in remotely. The flaw has
    been characterized by some security experts as the most widespread
    ever found in Windows.
    "An exploit (program) like this is very easy to turn into a worm,"  
    said Marc Maiffret, chief hacking officer for network protection firm
    eEye Digital Security. "I wouldn't be surprised if we see a worm
    sooner rather than later."
    While many security researchers believe the publication of such
    information can encourage security personnel in businesses to patch
    holes faster, the release of exploit code has typically preceded the
    largest worm attacks of the past few years.
    Maiffret and other security researchers worried that next week's
    Defcon hacker conference in Las Vegas will act as a catalyst and spur
    a malicious hacker to create and release such a worm.
    In January, the Slammer worm spread to corporate networks worldwide,
    causing databases to go down, bank teller machines to stop working and
    some airline flights to be canceled. Six months earlier, a researcher
    had released code that exploited the major Microsoft SQL vulnerability
    used by the worm to spread.
    Maiffret is quite familiar with how exploits and explicit details
    about vulnerabilities can be turned into malicious code. In June 2001,
    his company released details of another Microsoft flaw, in a component
    of Web server software. A month later, the flaw became the mechanism
    by which the Code Red worm spread.
    Release tension
    Maiffret, who doesn't support the release of exploit code, points to
    the X Focus notice as proof that exploits can be created without
    explicit details in the advisory. Few details were available to
    hackers and security researchers about the Windows flaw it was based
    on, but the exploit program was created quickly nevertheless.
    Jeff Jones, senior director for Microsoft's Trustworthy Computing
    initiative, took the creators of the code to task, saying that the
    release of a program to exploit a specific vulnerability doesn't help
    make companies more secure.
    "We believe publication of exploit code in cases like this is not good
    for customers," he said. Jones hinted that Microsoft may attempt to
    identify the issuer of a worm and to take legal action against the
    culprit. "While the release of exploits are protected in the United
    States under the First Amendment, intentional use of that code to
    cause damage is criminal."
    Microsoft released details of the exploited vulnerability on July 16.  
    The flaw is in a component of the operating system that allows other
    computers to request the Windows system perform an action or service.  
    The component, known as the remote procedure call (RPC) process,
    facilitates such activities such as sharing files and allowing others
    to use the computer's printer. By sending too much data to the RPC
    process, an attacker can cause the system to grant full access to the
    The Chinese code worked on only three variants of Windows, but could
    show knowledgeable hackers how to take advantage of the flaw.
    'So I fixed it'
    HD Moore, a security researcher and the founder of the Metasploit
    Project, has done just that. A well-known hacker and programmer of
    security code, Moore has taken the Chinese code and improved it. Now
    the code works for at least seven versions of the operating system,
    including Windows 2000 Service Pack 0 to Service Pack 4 and Windows XP
    Service Pack 0 and Service Pack 1.
    "I don't like broken exploits, so I fixed it," he said.
    Moore posted his improved code for the program to a Web site hosted on
    his home network and found an unexpected amount of interest in the
    program. After other security researchers became aware of the code,
    Moore's site started receiving 300 to 400 download requests every
    second, taking down his cable modem connection. He planned to move the
    site to a hosting provider later this weekend.
    Moore also believed that the code could easily be turned into a worm.
    "This is probably the most widespread vulnerability that lets you get
    remote root," he said. "It's almost guaranteed to be turned into a
    worm." Remote root is a security term for the ability to take control
    of a computer over the Internet.
    The prospect has financial companies worried, said another security
    researcher, who asked not to be named. The companies have had only two
    weeks to evaluate the Microsoft patch and apply it--an impossible task
    for chronically overworked network administrators.
    "It's a huge problem, because they haven't had time," said the
    researcher. "It takes weeks to remediate a whole Class-B (about 65,000
    addresses) network."
    And even companies that have patched all the flaws and taken
    prescriptive measures to harden their firewalls have to be sure they
    haven't missed anything, said eEye's Maiffret.
    "This is going to be something like the SQL Slammer worm," he said.  
    "It won't affect the outside networks (such as the Internet); it's
    going to affect the inside networks. All it takes is one server to get
    infected. You think it (was) bad when your database servers went down.  
    This will take those servers and every other computer down as well."
    He has advice: Patch quickly and disable the vulnerable service.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 06:27:22 PDT