Download our in-depth report: The Ultimate Guide to IT Security VendorsVirus writers are reportedly sharing code online that will help them break into computersand could lead to the creation of another Blaster-like worm, according to security experts.
The exploit code, which is making its rounds in the black-hat hacker underground, is thesource code that a programmer would use to create an administrative account on an infectedcomputer, giving the hacker control over that computer. The code takes advantage of thelatest flaws found in in Microsoft Corp.'s Windows operating system.
''The exploit code allows an attacker to create an administrative account and then heliterally owns that computer,'' says Ken Dunham, malicious-code intelligence manager foriDefense, Inc., a security company based in Reston, Va. ''Once he has access to thatcomputer, he can do whatever he wants. It's trivial. With this exploit code it's really easyto do.''
Rachel Sunbarger, a spokeswoman for the Department of Homeland Security, toldDatamation that they are monitoring the situation and have been in contact with theFBI, which handles high-tech investigations. ''This exploit code is definitely somethingthat we are watching,'' she says.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i Microsoft Corp. announced on Sep. 10 the existence of three recently found flaws in WindowsRPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered thissummer, that led to last month's release of the Blaster worm, which quickly spread acrossthe world, clogging up corporate systems, sucking up bandwidth and ultimately trying tolaunch a denial-of-service attack on a Microsoft Web site.
These new vulnerabilities include a Denial of Service flaw and two buffer overruns. Theflaws allow a remote attacker to take control of an infected computer, downloading files,destroying information or using that computer to attack other computers.
Security experts have been on alert for a worm to hit that exploits the new vulnerabilities.With the original Blaster code laying the developmental groundwork for the new attack, muchof the work already has been done.
The appearance of this exploit code in the hacker community this week means viruswriters are even closer to developing that new worm. Several security experts say there hasbeen a 'flurry' of activity and chatter in the black-hat underground in the past two days.
''We have an elevated risk just because the code is out there,'' says Dan Ingevaldson, anengineering manager with Altanta-based Internet Security Systems, Inc. ''This seems to befrom the same group that wrote code that got into Blaster and Nachi. The group is calledXFocus. It's a group of black-hat hackers out of China that has been producing exploits thepast few years.''
Ingevaldson, though, says the exploit code being shared isn't extremely well-writtenand may lead to more system crashes than compromises at this point.
But iDefense's Dunham says the exploit code is already being used to hack into vulnerablecomputers.
''One guy out there claims he's already infecting computers,'' says Dunham. ''I see noreason why that couldn't be true considering his history.''
Dunham, who first detected the sharing of the exploit code on Tuesday, knows the hacker'shistory and knows about the code because he infiltrated a private chat room dedicated to thedevelopment of trojans.
''Someone who works on trojans long enough can work their way in,'' says Dunham. ''This onewas not that difficult... There's about a dozen or so guys who hang in the chat room tradinginformation. I was disguised as an individual who has an interest in trojans.''
Dunham says though he enters the chat room, he never shares code or promotes anythingmalicious.
The code, Dunham notes, is specific to the Windows 2000 operating system. However, he addsthat he has evidence that virus writers are working on code for Windows NT and Windows XPas well.
Security analysts say consumers and corporate IT managers are moving more quickly than usualto download the needed patch for the latest RPC vulnerabilities. Memories of last month'scostly Blaster and Sobig-F attacks are spurring on the precautions. The question is if themillions of computers plagued by the flaws can be fixed before a worm is released.
''Microsoft reports that download of the patch is up 60% or so,'' says Dunham.''People are patching more aggressively, but there are thousand and thousands of computersvulnerable. It's going to take weeks before a large number of computers are patched.
''This code makes it very easy for someone to create a worm,'' he adds. ''If you've got thesource code, which was made available Tuesday, you can go in and start doing a little bit ofprogramming and before you know it you've got a worm.''
Ingevaldson says he expects to see more exploit code and possibly the related worm hit inthe next week or so.
''There's a lot of different people working on this,'' says Ingevaldson. ''I'm expecting tosee at least a couple more variations of the exploit. First someone posts the exploit andthen someone else posts support for Windows NT to the exploit. Then someone else fixes a bugin the exploit. Once it hits critical mass -- once it's effective -- all it takes is oneperson to write some code, maybe a few hundred lines to require targets and compromise them.It's impossible to predict because all it takes is one person to do it.''