Hacker code could unleash Windows worm

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002_3-5055759.html

By Robert Lemos 
Staff Writer, CNET News.com
July 25, 2003

A hacker group released code designed to exploit a widespread Windows
flaw, paving the way for a major worm attack as soon as this weekend,
security researchers warned.

The warning came Friday, after hackers from the Chinese X Focus
security group forwarded source code to several public security lists.  
The code is for a program designed to allow an intruder to enter
Windows computers.

The X Focus program takes advantage of a hole in the Microsoft
operating system that lets attackers break in remotely. The flaw has
been characterized by some security experts as the most widespread
ever found in Windows.

"An exploit (program) like this is very easy to turn into a worm,"  
said Marc Maiffret, chief hacking officer for network protection firm
eEye Digital Security. "I wouldn't be surprised if we see a worm
sooner rather than later."

While many security researchers believe the publication of such
information can encourage security personnel in businesses to patch
holes faster, the release of exploit code has typically preceded the
largest worm attacks of the past few years.

Maiffret and other security researchers worried that next week's
Defcon hacker conference in Las Vegas will act as a catalyst and spur
a malicious hacker to create and release such a worm.

In January, the Slammer worm spread to corporate networks worldwide,
causing databases to go down, bank teller machines to stop working and
some airline flights to be canceled. Six months earlier, a researcher
had released code that exploited the major Microsoft SQL vulnerability
used by the worm to spread.

Maiffret is quite familiar with how exploits and explicit details
about vulnerabilities can be turned into malicious code. In June 2001,
his company released details of another Microsoft flaw, in a component
of Web server software. A month later, the flaw became the mechanism
by which the Code Red worm spread.

Release tension

Maiffret, who doesn't support the release of exploit code, points to
the X Focus notice as proof that exploits can be created without
explicit details in the advisory. Few details were available to
hackers and security researchers about the Windows flaw it was based
on, but the exploit program was created quickly nevertheless.

Jeff Jones, senior director for Microsoft's Trustworthy Computing
initiative, took the creators of the code to task, saying that the
release of a program to exploit a specific vulnerability doesn't help
make companies more secure.

"We believe publication of exploit code in cases like this is not good
for customers," he said. Jones hinted that Microsoft may attempt to
identify the issuer of a worm and to take legal action against the
culprit. "While the release of exploits are protected in the United
States under the First Amendment, intentional use of that code to
cause damage is criminal."

Microsoft released details of the exploited vulnerability on July 16.  
The flaw is in a component of the operating system that allows other
computers to request the Windows system perform an action or service.  
The component, known as the remote procedure call (RPC) process,
facilitates such activities such as sharing files and allowing others
to use the computer's printer. By sending too much data to the RPC
process, an attacker can cause the system to grant full access to the
system.

The Chinese code worked on only three variants of Windows, but could
show knowledgeable hackers how to take advantage of the flaw.

'So I fixed it'

HD Moore, a security researcher and the founder of the Metasploit
Project, has done just that. A well-known hacker and programmer of
security code, Moore has taken the Chinese code and improved it. Now
the code works for at least seven versions of the operating system,
including Windows 2000 Service Pack 0 to Service Pack 4 and Windows XP
Service Pack 0 and Service Pack 1.

"I don't like broken exploits, so I fixed it," he said.

Moore posted his improved code for the program to a Web site hosted on
his home network and found an unexpected amount of interest in the
program. After other security researchers became aware of the code,
Moore's site started receiving 300 to 400 download requests every
second, taking down his cable modem connection. He planned to move the
site to a hosting provider later this weekend.

Moore also believed that the code could easily be turned into a worm.

"This is probably the most widespread vulnerability that lets you get
remote root," he said. "It's almost guaranteed to be turned into a
worm." Remote root is a security term for the ability to take control
of a computer over the Internet.

The prospect has financial companies worried, said another security
researcher, who asked not to be named. The companies have had only two
weeks to evaluate the Microsoft patch and apply it--an impossible task
for chronically overworked network administrators.

"It's a huge problem, because they haven't had time," said the
researcher. "It takes weeks to remediate a whole Class-B (about 65,000
addresses) network."

And even companies that have patched all the flaws and taken
prescriptive measures to harden their firewalls have to be sure they
haven't missed anything, said eEye's Maiffret.

"This is going to be something like the SQL Slammer worm," he said.  
"It won't affect the outside networks (such as the Internet); it's
going to affect the inside networks. All it takes is one server to get
infected. You think it (was) bad when your database servers went down.  
This will take those servers and every other computer down as well."

He has advice: Patch quickly and disable the vulnerable service.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.