Virus writers are reportedly sharing code online that will help them break into computers
and could lead to the creation of another Blaster-like worm, according to security experts.
The exploit code, which is making its rounds in the black-hat hacker underground, is the
source code that a programmer would use to create an administrative account on an infected
computer, giving the hacker control over that computer. The code takes advantage of the
latest flaws found in in Microsoft Corp.’s Windows operating system.
”The exploit code allows an attacker to create an administrative account and then he
literally owns that computer,” says Ken Dunham, malicious-code intelligence manager for
iDefense, Inc., a security company based in Reston, Va. ”Once he has access to that
computer, he can do whatever he wants. It’s trivial. With this exploit code it’s really easy
Rachel Sunbarger, a spokeswoman for the Department of Homeland Security, told
Datamation that they are monitoring the situation and have been in contact with the
FBI, which handles high-tech investigations. ”This exploit code is definitely something
that we are watching,” she says.
Microsoft Corp. announced on Sep. 10 the existence of three recently found flaws in Windows
RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this
summer, that led to last month’s release of the Blaster worm, which quickly spread across
the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to
launch a denial-of-service attack on a Microsoft Web site.
These new vulnerabilities include a Denial of Service flaw and two buffer overruns. The
flaws allow a remote attacker to take control of an infected computer, downloading files,
destroying information or using that computer to attack other computers.
Security experts have been on alert for a worm to hit that exploits the new vulnerabilities.
With the original Blaster code laying the developmental groundwork for the new attack, much
of the work already has been done.
The appearance of this exploit code in the hacker community this week means virus
writers are even closer to developing that new worm. Several security experts say there has
been a ‘flurry’ of activity and chatter in the black-hat underground in the past two days.
”We have an elevated risk just because the code is out there,” says Dan Ingevaldson, an
engineering manager with Altanta-based Internet Security Systems, Inc. ”This seems to be
from the same group that wrote code that got into Blaster and Nachi. The group is called
XFocus. It’s a group of black-hat hackers out of China that has been producing exploits the
past few years.”
Ingevaldson, though, says the exploit code being shared isn’t extremely well-written
and may lead to more system crashes than compromises at this point.
But iDefense’s Dunham says the exploit code is already being used to hack into vulnerable
”One guy out there claims he’s already infecting computers,” says Dunham. ”I see no
reason why that couldn’t be true considering his history.”
Dunham, who first detected the sharing of the exploit code on Tuesday, knows the hacker’s
history and knows about the code because he infiltrated a private chat room dedicated to the
development of trojans.
”Someone who works on trojans long enough can work their way in,” says Dunham. ”This one
was not that difficult… There’s about a dozen or so guys who hang in the chat room trading
information. I was disguised as an individual who has an interest in trojans.”
Dunham says though he enters the chat room, he never shares code or promotes anything
The code, Dunham notes, is specific to the Windows 2000 operating system. However, he adds
that he has evidence that virus writers are working on code for Windows NT and Windows XP
Security analysts say consumers and corporate IT managers are moving more quickly than usual
to download the needed patch for the latest RPC vulnerabilities. Memories of last month’s
costly Blaster and Sobig-F attacks are spurring on the precautions. The question is if the
millions of computers plagued by the flaws can be fixed before a worm is released.
”Microsoft reports that download of the patch is up 60% or so,” says Dunham.
”People are patching more aggressively, but there are thousand and thousands of computers
vulnerable. It’s going to take weeks before a large number of computers are patched.
”This code makes it very easy for someone to create a worm,” he adds. ”If you’ve got the
source code, which was made available Tuesday, you can go in and start doing a little bit of
programming and before you know it you’ve got a worm.”
Ingevaldson says he expects to see more exploit code and possibly the related worm hit in
the next week or so.
”There’s a lot of different people working on this,” says Ingevaldson. ”I’m expecting to
see at least a couple more variations of the exploit. First someone posts the exploit and
then someone else posts support for Windows NT to the exploit. Then someone else fixes a bug
in the exploit. Once it hits critical mass — once it’s effective — all it takes is one
person to write some code, maybe a few hundred lines to require targets and compromise them.
It’s impossible to predict because all it takes is one person to do it.”