Blaster Type Virus Attack Called 'Imminent'
Exploit code for 'critical' Windows ASN.1 flaw could lead to major network disruption.
Malicious code to exploit a component of the Microsoft Windows ASN.1 vulnerability is circulating, prompting security experts to issue a chilling warning: a Blaster-type virus attack is imminent.
The exploit code, specifically created to target a buffer overflow flaw in Microsoft's implementation of the Abstract Syntax Notation 1 (ASN.1) data standard could cause immediate denial-of-service attacks
"A virus attack will happen and it will happen very soon. It's not a matter of if, but when," warned Gartner security analyst John Pescatore. "This is a very dangerous vulnerability. It is pretty easy to exploit and once the bad guys get their hands on an exploit, we will see an attack."
That level of system takeover was last seen when the MSBlast (Blaster) virus started spreading last summer, hammering corporate networks, e-mail servers and snarling ISP traffic around the world.
The latest ASN.1 exploit, which has been seen by internetnews.com on several underground Web sites, is programmed to crash the Microsoft Local Security Authority Subsystem process, LSASS.exe. After crashing LSASS.exe, the code causes infected systems to reboot at one minute intervals.
The exploit code can be launched via server message blocks or the NetBIOS file sharing protocols to PCs via ports 445 or 139. An IT administrator who tested the exploit code reported that it was able to take down an unpatched Windows 2000 system. It did not work on Windows XP or Windows Server 2003 but experts say a skilled attacker could tweak the code to target the flaw in those operating systems.
The Microsoft vulnerability affects Windows NT 4.0, Windows NT Server 4.0 Terminal Server Edition, Windows 2000, Windows XP and Windows Server 2003.
The exploit code in circulation is set only to cause denial-of-service scenarios but could be used as a blueprint for more serious exploits like the hijacking on unpatched systems.
As a workaround, Windows users are urged to block untrusted access to ports 445 and 439 and immediately install the available ASN.1 fix.
Ken Dunham, director of malicious code at research firm iDefense, said the exploit code "compiles rather easily" and is fully functional as a DoS tool.
"The threat index for ASN.1 attacks has just gone up significantly. This new exploit code serves as a template for attackers who want to gain remote access to vulnerable computers, infect them with Trojans, or create a bot or worm," Dunham warned.
The ASN.1 standard is used by many applications and devices in the technology industry to allow the normalization and understanding of data across various platforms.