Warning: MSBlaster May be Just the Beginning

Security analysts are warning IT managers that the MSBlaster worm may just be the beginning of malicious code that will take advantage of what some are calling the most widespread Windows flaw in history.
Security analysts are warning IT managers that the MSBlaster worm may just be the beginning of malicious code that will take advantage of what some are calling the most widespread Windows flaw in history.

''I'm afraid this is just the beginning,'' says Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc. ''We're going to be dealing with this worm, or variations of this worm, for some time... I'm worried about the fact that there are still so many vulnerable machines out there.''

MSBlaster, which was first detected Monday afternoon, has quickly spread from machine to machine across the globe through a flaw in the Windows operating system. But the worm doesn't carry a destructive payload, only causing a small percentage of infected computers to reboot because of a flaw in its own coding.

Instead, MSBlaster, otherwise known as LovSan and Poza, is specifically aimed at causing trouble for Microsoft. The worm is geared to harvest as many vulnerable systems as possible and launch a Distributed Denial-of-Service (DDoS) attack on the windowsupdate.com Web site starting this Friday. By focusing all the net congestion on that Web site, the author of the worm is deliberately trying to make it difficult for IT managers and individual users to download the patch they need to secure their systems against the worm.

Several anti-virus and security companies, including Symantec Corp., have raised the worm's threat level to their second-highest rating, despite the fact that the number of new infections has leveled off or even slowed in the past 24 hours. MSBlaster has not caused much network congestion and hasn't affected Internet traffic on anything but a very localized scale. The Global Instability Index, which tracks the stability or efficiency of the routers that make up the backbone of the Internet, has shown very little reaction to MSBlaster, as opposed to the Slammer worm, which wreaked havoc on it.

But analysts say it's the potential they're worried about.

''Just because Blaster is slowing down, doesn't mean the threat is over,'' says Dee Liebenstein, group product manager of Cupertino, Calif.-based Symantec Security Response. ''There's the threat of another worm or a variant of this worm... There's the potential that the next threat can have direct damage.''

Liebenstein notes that the seriousness of the threat stems not from the worm but from the significance of the flaw that it's taking advantage of.

MSBlaster exploits a flaw with the Remote Procedure Call (RPC) process, which controls activities such as file sharing. The flaw enables the attacker to gain full access to the system. The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, affects both servers and desktops, expanding the reach of any exploit that takes advantage of it.

Where the vulnerability affects servers and desktops in such popular operating systems, there are potentially millions of vulnerable computers out there right now. The security industry sent out a widespread warning about two weeks ago, spurring many companies to install the necessary patch, which was available from Microsoft almost a month ago.

But security analysts worry that there are still millions of unpatched machines vulnerable to the new worm.

''This vulnerability gives the attacker access to the machine at local privileges,'' says Liebenstein. ''It makes the invader the user of the machine. Really, it could give them the ability to add files, delete files, change files. It could delete critical files off your machine. It could be exporting information off your machine. It is important that no one thinks the threat is over just because Blaster is slowing down.''

Jeff Havrilla, Internet security analyst at the CERT Coordination Center, which is part of the Software Engineering Institute at Pittsburgh-based Carnegie Mellon, says there is a historical bell curve of malicious code that exploits a vulnerability. He too says the Blaster worm will probably be the first in a string of exploits for the RPC vulnerability.

''It will continue to be exploited,'' says Havrilla. ''CodeRed was the best example of that. It may happen. It may not. CodeRed was let lose and over the course of a few days it mutated, and somebody engineered it to it propagate faster. It scanned hosts more efficiently and got at a large number of systems more quickly.''

But Havrilla says worms aren't the only threat connected to this particular vulnerability.

''We have seen reports of attackers using the vulnerability to manually get into peoples' systems,'' he adds. ''A number of exploits have been published that allow intruders to execute code to get into vulnerable systems... An exploit that works is highly valued so it will be shared in the intruder community. We have had reports of people organizing compromised systems into groups to attack other computers.''

George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College in Hanover, N.H., says he wouldn't be surprised if more attacks followed Blaster, but for now IT and security managers need to stay on alert and wait.

''We can muse all day long,'' says Bakos. ''It really is up to the worm authors and what their intent is. This time it was almost a social statement against a flawed system since they went after Microsoft's Windows update facility. What's the next statement or the next motivation? Something political? Something financial? Somebody out for a joy ride spraying digital graffiti around? Your guess is as good as mine.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.