Warning Goes Out of New Worm Lurking Nearby

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  
Security analysts are warning it's inevitable that a worm is released inthe wild to attack users through the newly discovered vulnerabilities in Microsoft'sWindows.

''I think it's just a matter of time,'' says Steve Sundermeier, vice president of productsand services at Central Command Inc., an anti-virus and security company. ''We're all gearingup for it. It's definitely going to come. We're going to see a new worm.''

Microsoft Corp. announced this week the existence of three recently found flaws in WindowsRPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered thissummer, that led to last month's release of the Blaster worm, which quickly spread acrossthe world, clogging up corporate systems, sucking up bandwidth and ultimately trying tolaunch a denial-of-service attack on a Microsoft Web site.

These new vulnerabilities include a denial-of-service flaw and two buffer overruns. Theflaws allow a remote attacker to take control of an infected computer, downloading files,destroying information or using that computer to attack other computers.

The new vulnerabilities offer up a temptation that security analysts think worm writerswon't be able to resist. With the original Blaster code laying the developmental groundworkfor a second wave of attacks, much of the hard work is already done.

''These new vulnerabilities are close cousins of the RPC vulnerability that was firstpublished in July,'' says Chris Belthoff, a senior security analyst with Sophos Inc., ananti-virus company based in Lynfield, Mass. ''It's a very close variant of the vulnerabilitythat the Blaster worm was written to exploit. So the expectation is that we'll see the Sonof Blaster or Blaster Junior -- a worm or multiple worms that take advantage of thevulnerability.''

And Belthoff says with the original Blaster code out there, it would be quick and easy for avirus writer to whip up a damaging knock-off that would exploit the new vulnerabilities.That means the new worm could literally hit within days or even hours.

''It could come at any time now,'' adds Belthoff. ''It wouldn't surprise me if something isseen in the next few days. It's certainly possible. Since this vulnerability is so similarto the one the Blaster worm exploited, it's not a huge development task to write anotherworm to exploit this vulnerability.''

Belthoff also notes that the first Blaster, though it crashed some systems because of a flawin its own coding, didn't wreak much damage on the infected computers. Blaster was largelygeared to cause trouble for Microsoft by launching a DoS attack against the Web page thatenabled users to download the patch.

Users may not be so lucky with the next worm, which could be far more damaging to theinfected computers.

But Central Command's Sundermeier says the infected machines are too valuable to the wormwriter to damage.

''Sure, the hacker has the ability to download code of his or her choice and that code couldbe malicious to the infected computer,'' he explains. ''But if he causes significant damageto that machine, then that machine is taken out. If they're going to launch a DoS attack,they won't want to take down machines that they actually need.''

Sundermeier adds that there's a positive side to a new worm hitting so soon after Blaster.

''Blaster is still in people's minds,'' he says. ''Our saying is 'What is soon learned issoon forgotten.' But this is so close to the original Blaster, that may not be the casehere. But people shouldn't think that just because they are patched for Blaster, they'repatched for this one.''

MJ Shoer, president and CTO of Jenaly Technology, Inc., a Portsmouth, N.H.-based outsourcedIT firm covering businesses in New England, says he's been busy making sure clients' systemsare patched and updated.

''Everybody needs to be patched. That's what it boils down to,'' says Shoer. ''We're makingsure firewalls are tight and anti-virus is up to date. We're just checking all theexposures.''

Shoer says when it comes to making sure a system is patched, the biggest vulnerability tothe corporate network is the mobile user. Many corporate administrators push patches down toindividual desktops and laptops that are connected to the network. If a worker has been onthe road, simply dialing in from slow hotel connections, they're not likely getting thepatches and security updates they need.

Shoer adds, ''We're aggressively watching all the points of exposure.''

Submit a Comment

Loading Comments...