April 28, 2004 4:05 PM PDT

Worm worries grow with release of Windows hacks

By Robert Lemos
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Microsoft warns of a score of security holes
April 13, 2004; MSBlast epidemic far larger than believed
April 2, 2004; Waiting for the worm to turn up
August 1, 2003

Program files designed to exploit two major vulnerabilities in Microsoft software are being used to attack computers, but security experts worry that worse--an MSBlast-type worm--could be ahead.

The warning comes after several security programmers released source code that makes it easy for an attacker to take control of any Windows computer that has not applied a patch released by Microsoft.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

The software flaws targeted by the exploit code are two critical vulnerabilities that the software giant warned about on April 13.

"From January to March (of this year), we mainly saw mass-mailing worms," said Vincent Weafer, senior director for security company Symantec's security response center. "Between now and the end of summer, it's likely we'll see...a Blaster-type event."

Currently, Symantec and the Internet Storm Center, a site that monitors network threats, have both detected automated attacks on computers that have not had the recent security holes patched. An exploit that uses a vulnerability in the private communications transport (PCT) feature of Windows Web servers, known as Microsoft Internet Information Servers (IIS), has compromised systems at many companies, Ullrich said.

While some news reports have theorized that a new worm is on the loose, the data traffic caused by the attacks has not risen to the level typically seen with worms, said Johannes Ullrich, chief technology officer for the Internet Storm Center.

"It's nothing I would call a worm yet, but companies are being hit with the code," he said. "It is not as prevalent as I would have thought by now."

The Internet Storm Center, which is operated by the SANS Institute, has also found evidence of code that takes advantage of another, more widespread vulnerability. That flaw, in a Windows security component known as the Local Security Authority Subsystem Service (LSASS), has been added to an automated attack agent, or bot, known as AgoBot. Such programs run invisibly on a compromised computer, giving an intruder full control of the system and the ability to use the PC in attacks.

Symantec confirmed that it has also captured a version of the AgoBot program, known as PhatBot, that appears to have the ability to attack systems through the LSASS vulnerability. While that is a worry, the greater threat would be a fully automated worm, Weafer said. He added that, in scope and ease of attack, the LSASS exploit is similar to the one that allowed the MSBlast worm to spread so widely.

In fact, the anticipation of a major Internet attack has risen to a level comparable to that prior to the MSBlast worm that launched last August and ended up infecting more than 8 million computers by the end of March. Microsoft updated on Wednesday the number of computers cleaned of MSBlast to 9.5 million.

The two flaws threaten different pieces of the computing infrastructure. The PCT vulnerability puts Web servers that use Secure Sockets Layer encryption features at risk. Such servers are common in e-commerce applications, allowing intruders to target high-value computers with the vulnerability. The LSASS flaw affects almost every Windows computer that has not yet been patched, leaving the door open to a worm attack.

"They are very different in terms of the types of machines that the exploit would target," said Stephen Toulouse, security program manager for Microsoft's Security Research Center.

Although a worm has not yet been created, the danger from would-be intruders using the most recent exploit programs is still real, the Internet Storm Center's Ullrich said. The center, which tracks attacks and worms by analyzing firewall records, indicated that would-be intruders are scanning companies for vulnerable systems, and when they find such systems, they attack.

"In a couple minutes, we've seen whole IIS server farms taken out," he said.

The situation has Microsoft reiterating its plea for patching. "We urge all our customers to apply the updates as soon as possible," said the software giant's Toulouse.

More information on the flaws and the patches can be found on Microsoft's security site.

See more CNET content tagged:
Internet Storm Center, AgoBot, MSBlast worm, worm, worry

Latest tech news headlines

Creating a 'Facebook for spies'
Posted in News - Digital Media by Steven Musil

September 7, 2008 10:30 AM PDT
The main problem with Windows Vista
Posted in Defensive Computing by Michael Horowitz

September 6, 2008 7:50 PM PDT
Google-focused satellite enters orbit
Posted in News - Digital Media by Jonathan Skillings

September 6, 2008 7:33 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Creating a 'Facebook for spies'
The CIA, FBI, and National Security Agency are reportedly testing a social-networking site designed for use by analysts within the 16 U.S. intelligence agencies.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Crossfade
The Standard, 'A Different Skin': Free MP3 of the Day
Eschewing the danceable beats favored by many of its post-punk brethren, while opting instead for more ominous and insistent rhythms, is what makes the Standard visceral and engaging. Download a free MP3 of "A Different Skin" courtesy of CNET Download Mus
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.