Warning Goes Out of New Worm Lurking Nearby
Security analysts say it's only a matter of time before a worm is released in the wild to attack users through the newly discovered vulnerabilities in Microsoft's Windows.
''I think it's just a matter of time,'' says Steve Sundermeier, vice president of products and services at Central Command Inc., an anti-virus and security company. ''We're all gearing up for it. It's definitely going to come. We're going to see a new worm.''
Microsoft Corp. announced this week the existence of three recently found flaws in Windows RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this summer, that led to last month's release of the Blaster worm, which quickly spread across the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to launch a denial-of-service attack on a Microsoft Web site.
These new vulnerabilities include a denial-of-service flaw and two buffer overruns. The flaws allow a remote attacker to take control of an infected computer, downloading files, destroying information or using that computer to attack other computers.
''These new vulnerabilities are close cousins of the RPC vulnerability that was first published in July,'' says Chris Belthoff, a senior security analyst with Sophos Inc., an anti-virus company based in Lynfield, Mass. ''It's a very close variant of the vulnerability that the Blaster worm was written to exploit. So the expectation is that we'll see the Son of Blaster or Blaster Junior -- a worm or multiple worms that take advantage of the vulnerability.''
And Belthoff says with the original Blaster code out there, it would be quick and easy for a virus writer to whip up a damaging knock-off that would exploit the new vulnerabilities. That means the new worm could literally hit within days or even hours.
''It could come at any time now,'' adds Belthoff. ''It wouldn't surprise me if something is seen in the next few days. It's certainly possible. Since this vulnerability is so similar to the one the Blaster worm exploited, it's not a huge development task to write another worm to exploit this vulnerability.''
Belthoff also notes that the first Blaster, though it crashed some systems because of a flaw in its own coding, didn't wreak much damage on the infected computers. Blaster was largely geared to cause trouble for Microsoft by launching a DoS attack against the Web page that enabled users to download the patch.
Users may not be so lucky with the next worm, which could be far more damaging to the infected computers.
But Central Command's Sundermeier says the infected machines are too valuable to the worm writer to damage.
''Sure, the hacker has the ability to download code of his or her choice and that code could be malicious to the infected computer,'' he explains. ''But if he causes significant damage to that machine, then that machine is taken out. If they're going to launch a DoS attack, they won't want to take down machines that they actually need.''
Sundermeier adds that there's a positive side to a new worm hitting so soon after Blaster.
''Blaster is still in people's minds,'' he says. ''Our saying is 'What is soon learned is soon forgotten.' But this is so close to the original Blaster, that may not be the case here. But people shouldn't think that just because they are patched for Blaster, they're patched for this one.''
MJ Shoer, president and CTO of Jenaly Technology, Inc., a Portsmouth, N.H.-based outsourced IT firm covering businesses in New England, says he's been busy making sure clients' systems are patched and updated.
''Everybody needs to be patched. That's what it boils down to,'' says Shoer. ''We're making sure firewalls are tight and anti-virus is up to date. We're just checking all the exposures.''
Shoer says when it comes to making sure a system is patched, the biggest vulnerability to the corporate network is the mobile user. Many corporate administrators push patches down to individual desktops and laptops that are connected to the network. If a worker has been on the road, simply dialing in from slow hotel connections, they're not likely getting the patches and security updates they need.
Shoer adds, ''We're aggressively watching all the points of exposure.''
September 08, 2003
Security analysts say while the Neroma worm, which plays on fears surrounding the Sep. 11 date, poses little threat, they are alert for increased virus trouble this week.