Monday, May 27, 2024

Hackers Unleashing Code for Blaster Copycat

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Virus writers are reportedly sharing code online that will help them break into computers

and could lead to the creation of another Blaster-like worm, according to security experts.

The exploit code, which is making its rounds in the black-hat hacker underground, is the

source code that a programmer would use to create an administrative account on an infected

computer, giving the hacker control over that computer. The code takes advantage of the

latest flaws found in in Microsoft Corp.’s Windows operating system.

”The exploit code allows an attacker to create an administrative account and then he

literally owns that computer,” says Ken Dunham, malicious-code intelligence manager for

iDefense, Inc., a security company based in Reston, Va. ”Once he has access to that

computer, he can do whatever he wants. It’s trivial. With this exploit code it’s really easy

to do.”

Rachel Sunbarger, a spokeswoman for the Department of Homeland Security, told

Datamation that they are monitoring the situation and have been in contact with the

FBI, which handles high-tech investigations. ”This exploit code is definitely something

that we are watching,” she says.

Microsoft Corp. announced on Sep. 10 the existence of three recently found flaws in Windows

RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this

summer, that led to last month’s release of the Blaster worm, which quickly spread across

the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to

launch a denial-of-service attack on a Microsoft Web site.

These new vulnerabilities include a Denial of Service flaw and two buffer overruns. The

flaws allow a remote attacker to take control of an infected computer, downloading files,

destroying information or using that computer to attack other computers.

Security experts have been on alert for a worm to hit that exploits the new vulnerabilities.

With the original Blaster code laying the developmental groundwork for the new attack, much

of the work already has been done.

Hacker Chatter

The appearance of this exploit code in the hacker community this week means virus

writers are even closer to developing that new worm. Several security experts say there has

been a ‘flurry’ of activity and chatter in the black-hat underground in the past two days.

”We have an elevated risk just because the code is out there,” says Dan Ingevaldson, an

engineering manager with Altanta-based Internet Security Systems, Inc. ”This seems to be

from the same group that wrote code that got into Blaster and Nachi. The group is called

XFocus. It’s a group of black-hat hackers out of China that has been producing exploits the

past few years.”

Ingevaldson, though, says the exploit code being shared isn’t extremely well-written

and may lead to more system crashes than compromises at this point.

But iDefense’s Dunham says the exploit code is already being used to hack into vulnerable


”One guy out there claims he’s already infecting computers,” says Dunham. ”I see no

reason why that couldn’t be true considering his history.”

Dunham, who first detected the sharing of the exploit code on Tuesday, knows the hacker’s

history and knows about the code because he infiltrated a private chat room dedicated to the

development of trojans.

”Someone who works on trojans long enough can work their way in,” says Dunham. ”This one

was not that difficult… There’s about a dozen or so guys who hang in the chat room trading

information. I was disguised as an individual who has an interest in trojans.”

Dunham says though he enters the chat room, he never shares code or promotes anything


The code, Dunham notes, is specific to the Windows 2000 operating system. However, he adds

that he has evidence that virus writers are working on code for Windows NT and Windows XP

as well.

Security analysts say consumers and corporate IT managers are moving more quickly than usual

to download the needed patch for the latest RPC vulnerabilities. Memories of last month’s

costly Blaster and Sobig-F attacks are spurring on the precautions. The question is if the

millions of computers plagued by the flaws can be fixed before a worm is released.

”Microsoft reports that download of the patch is up 60% or so,” says Dunham.

”People are patching more aggressively, but there are thousand and thousands of computers

vulnerable. It’s going to take weeks before a large number of computers are patched.

”This code makes it very easy for someone to create a worm,” he adds. ”If you’ve got the

source code, which was made available Tuesday, you can go in and start doing a little bit of

programming and before you know it you’ve got a worm.”

Ingevaldson says he expects to see more exploit code and possibly the related worm hit in

the next week or so.

”There’s a lot of different people working on this,” says Ingevaldson. ”I’m expecting to

see at least a couple more variations of the exploit. First someone posts the exploit and

then someone else posts support for Windows NT to the exploit. Then someone else fixes a bug

in the exploit. Once it hits critical mass — once it’s effective — all it takes is one

person to write some code, maybe a few hundred lines to require targets and compromise them.

It’s impossible to predict because all it takes is one person to do it.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles