Hackers Unleashing Code for Blaster Copycat

Virus writers are reportedly sharing code online that will help them break into computers

and could lead to the creation of another Blaster-like worm, according to security experts.

The exploit code, which is making its rounds in the black-hat hacker underground, is the

source code that a programmer would use to create an administrative account on an infected

computer, giving the hacker control over that computer. The code takes advantage of the

latest flaws found in in Microsoft Corp.’s Windows operating system.

”The exploit code allows an attacker to create an administrative account and then he

literally owns that computer,” says Ken Dunham, malicious-code intelligence manager for

iDefense, Inc., a security company based in Reston, Va. ”Once he has access to that

computer, he can do whatever he wants. It’s trivial. With this exploit code it’s really easy

to do.”

Rachel Sunbarger, a spokeswoman for the Department of Homeland Security, told

Datamation that they are monitoring the situation and have been in contact with the

FBI, which handles high-tech investigations. ”This exploit code is definitely something

that we are watching,” she says.

Microsoft Corp. announced on Sep. 10 the existence of three recently found flaws in Windows

RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this

summer, that led to last month’s release of the Blaster worm, which quickly spread across

the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to

launch a denial-of-service attack on a Microsoft Web site.

These new vulnerabilities include a Denial of Service flaw and two buffer overruns. The

flaws allow a remote attacker to take control of an infected computer, downloading files,

destroying information or using that computer to attack other computers.

Security experts have been on alert for a worm to hit that exploits the new vulnerabilities.

With the original Blaster code laying the developmental groundwork for the new attack, much

of the work already has been done.

Hacker Chatter

The appearance of this exploit code in the hacker community this week means virus

writers are even closer to developing that new worm. Several security experts say there has

been a ‘flurry’ of activity and chatter in the black-hat underground in the past two days.

”We have an elevated risk just because the code is out there,” says Dan Ingevaldson, an

engineering manager with Altanta-based Internet Security Systems, Inc. ”This seems to be

from the same group that wrote code that got into Blaster and Nachi. The group is called

XFocus. It’s a group of black-hat hackers out of China that has been producing exploits the

past few years.”

Ingevaldson, though, says the exploit code being shared isn’t extremely well-written

and may lead to more system crashes than compromises at this point.

But iDefense’s Dunham says the exploit code is already being used to hack into vulnerable

computers.

”One guy out there claims he’s already infecting computers,” says Dunham. ”I see no

reason why that couldn’t be true considering his history.”

Dunham, who first detected the sharing of the exploit code on Tuesday, knows the hacker’s

history and knows about the code because he infiltrated a private chat room dedicated to the

development of trojans.

”Someone who works on trojans long enough can work their way in,” says Dunham. ”This one

was not that difficult… There’s about a dozen or so guys who hang in the chat room trading

information. I was disguised as an individual who has an interest in trojans.”

Dunham says though he enters the chat room, he never shares code or promotes anything

malicious.

The code, Dunham notes, is specific to the Windows 2000 operating system. However, he adds

that he has evidence that virus writers are working on code for Windows NT and Windows XP

as well.

Security analysts say consumers and corporate IT managers are moving more quickly than usual

to download the needed patch for the latest RPC vulnerabilities. Memories of last month’s

costly Blaster and Sobig-F attacks are spurring on the precautions. The question is if the

millions of computers plagued by the flaws can be fixed before a worm is released.

”Microsoft reports that download of the patch is up 60% or so,” says Dunham.

”People are patching more aggressively, but there are thousand and thousands of computers

vulnerable. It’s going to take weeks before a large number of computers are patched.

”This code makes it very easy for someone to create a worm,” he adds. ”If you’ve got the

source code, which was made available Tuesday, you can go in and start doing a little bit of

programming and before you know it you’ve got a worm.”

Ingevaldson says he expects to see more exploit code and possibly the related worm hit in

the next week or so.

”There’s a lot of different people working on this,” says Ingevaldson. ”I’m expecting to

see at least a couple more variations of the exploit. First someone posts the exploit and

then someone else posts support for Windows NT to the exploit. Then someone else fixes a bug

in the exploit. Once it hits critical mass — once it’s effective — all it takes is one

person to write some code, maybe a few hundred lines to require targets and compromise them.

It’s impossible to predict because all it takes is one person to do it.”

RELATED NEWS AND ANALYSIS

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2020

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020

• Anticipating The Coming Wave Of AI Enhanced PCs

  FEATURE |  By Rob Enderle,
  September 05, 2020

• The Critical Nature Of IBM’s NLP (Natural Language Processing) Effort

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  August 14, 2020