Hackers Unleashing Code for Blaster Copycat

Virus writers are reportedly sharing code online that will help them break into computers and could lead to the creation of another Blaster-like worm, according to security experts.
Posted September 18, 2003
By

Sharon Gaudin


Virus writers are reportedly sharing code online that will help them break into computers and could lead to the creation of another Blaster-like worm, according to security experts.

The exploit code, which is making its rounds in the black-hat hacker underground, is the source code that a programmer would use to create an administrative account on an infected computer, giving the hacker control over that computer. The code takes advantage of the latest flaws found in in Microsoft Corp.'s Windows operating system.

''The exploit code allows an attacker to create an administrative account and then he literally owns that computer,'' says Ken Dunham, malicious-code intelligence manager for iDefense, Inc., a security company based in Reston, Va. ''Once he has access to that computer, he can do whatever he wants. It's trivial. With this exploit code it's really easy to do.''

Rachel Sunbarger, a spokeswoman for the Department of Homeland Security, told Datamation that they are monitoring the situation and have been in contact with the FBI, which handles high-tech investigations. ''This exploit code is definitely something that we are watching,'' she says.

Microsoft Corp. announced on Sep. 10 the existence of three recently found flaws in Windows RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this summer, that led to last month's release of the Blaster worm, which quickly spread across the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to launch a denial-of-service attack on a Microsoft Web site.

These new vulnerabilities include a Denial of Service flaw and two buffer overruns. The flaws allow a remote attacker to take control of an infected computer, downloading files, destroying information or using that computer to attack other computers.

Security experts have been on alert for a worm to hit that exploits the new vulnerabilities. With the original Blaster code laying the developmental groundwork for the new attack, much of the work already has been done.

Hacker Chatter

The appearance of this exploit code in the hacker community this week means virus writers are even closer to developing that new worm. Several security experts say there has been a 'flurry' of activity and chatter in the black-hat underground in the past two days.

''We have an elevated risk just because the code is out there,'' says Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc. ''This seems to be from the same group that wrote code that got into Blaster and Nachi. The group is called XFocus. It's a group of black-hat hackers out of China that has been producing exploits the past few years.''

Ingevaldson, though, says the exploit code being shared isn't extremely well-written and may lead to more system crashes than compromises at this point.

But iDefense's Dunham says the exploit code is already being used to hack into vulnerable computers.

''One guy out there claims he's already infecting computers,'' says Dunham. ''I see no reason why that couldn't be true considering his history.''

Dunham, who first detected the sharing of the exploit code on Tuesday, knows the hacker's history and knows about the code because he infiltrated a private chat room dedicated to the development of trojans.

''Someone who works on trojans long enough can work their way in,'' says Dunham. ''This one was not that difficult... There's about a dozen or so guys who hang in the chat room trading information. I was disguised as an individual who has an interest in trojans.''

Dunham says though he enters the chat room, he never shares code or promotes anything malicious.

The code, Dunham notes, is specific to the Windows 2000 operating system. However, he adds that he has evidence that virus writers are working on code for Windows NT and Windows XP as well.

Security analysts say consumers and corporate IT managers are moving more quickly than usual to download the needed patch for the latest RPC vulnerabilities. Memories of last month's costly Blaster and Sobig-F attacks are spurring on the precautions. The question is if the millions of computers plagued by the flaws can be fixed before a worm is released.

''Microsoft reports that download of the patch is up 60% or so,'' says Dunham. ''People are patching more aggressively, but there are thousand and thousands of computers vulnerable. It's going to take weeks before a large number of computers are patched.

''This code makes it very easy for someone to create a worm,'' he adds. ''If you've got the source code, which was made available Tuesday, you can go in and start doing a little bit of programming and before you know it you've got a worm.''

Ingevaldson says he expects to see more exploit code and possibly the related worm hit in the next week or so.

''There's a lot of different people working on this,'' says Ingevaldson. ''I'm expecting to see at least a couple more variations of the exploit. First someone posts the exploit and then someone else posts support for Windows NT to the exploit. Then someone else fixes a bug in the exploit. Once it hits critical mass -- once it's effective -- all it takes is one person to write some code, maybe a few hundred lines to require targets and compromise them. It's impossible to predict because all it takes is one person to do it.''






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.