The security industry is on alert that an upswing in hacker activity could be signaling the
coming of a broad-scale attack that could potentially affect millions of networks.
The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.’s Windows
operating system. A problem with the Windows RPC Interface Buffer Overrun was first
disclosed on July 16. Security experts say hackers started experimenting with the
vulnerability almost immediately, and the rate of system probes and online chatter about the
vulnerability has been skyrocketing.
”We’re very concerned,” says Dan Ingevaldson, an engineering manager with Altanta-based
Internet Security Systems, Inc. ”Administrators have a window of time to fix their systems,
but that window is getting smaller… We think there’s a risk here to the entire Internet.”
There’s enough of a wide-scale risk that the Department of Homeland Security (DHS) is on
alert. David Wray, a DHS spokesman, says his people have been monitoring the situation and
are in direct contact with the security community, as well as with industry.
”We’re seeing an Internet-wide increase in probing that could be a search for vulnerable
computers,” says Wray. ”It could be a precursor and it bears continued watching… It
certainly could be serious. It could lead to the distribution of destructive, malicious code
and it could cause considerable disruption.”
But Wray and security experts agree that the situation could be defused if IT managers and
individual consumers immediately download and install the patch that Microsoft has issued
for the RPC vulnerability.
The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, is
a serious one.
Qualys, Inc., a security auditing and vulnerability management company based in Redwood
Shores, Calif., has rated the Windows flaw as the most critical one out there right now.
Gerhard Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used in the
Windows environment and leverages highly exposed ports
Ingevaldson notes that the vulnerability is unique in that it affects both servers and
desktops, expanding the reach of any exploit that takes advantage of it.
”We haven’t seen much of that before this,” says Ingevaldson. ”It’s the first major
vulnerability that crosses the line between desktops and servers. It’s a core component of
the operating system.”
And Ingevaldson says there’s a lot of potential for damage here.
”Look at SQL Slammer,” he adds. ”That affected between 100,000 and 300,000 machines.
There’s a lot more Windows XP and 2000 out there. There’s a very large pool of vulnerable
machines. Millions potentially.”
And that kind of potential is drawing a sizable amount of attention from the hacker
community.
Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-virus
company based in Lynnfield, Mass., says there hasn’t been an increase in virus or worm
activity yet, but they are seeing a major increase in system probes. Hackers are poking into
computers and networks around the world to see what systems are in place and what
vulnerabilities haven’t been patched.
The hackers have been experimenting with the exploit, says Ingevaldson, who has seen several
versions of the same tool that is being used to prod at the vulnerability.
And Qualys’ Eschelbeck says they have been monitoring online chatter about the vulnerability
in the hacker community. ”There’s a lot of creativity being put in right now to make the
exploit more powerful… and hit on a wider scale,” he says. ”It’s a strong indicator that
things are in the making.”
Most agree that the exploit would come in the form of a worm, since the vulnerability
doesn’t lend itself to a Denial-of-Service attack.
What security experts aren’t agreeing on is if the probes and increased hacker activity is
coming from one person or an organized group. The Department of Homeland Security is
reporting that there’s no evidence at this point that it’s an organized attack or that it’s
a matter of international terrorism.
But Sophos’ Belthoff says it does ring of an organized effort.
”My guess is that it’s a number of people,” he says. ”It’s not just an individual person
doing all these probes to assess vulnerability levels. The probes are distributed. The
normal level is pretty high and this is way above that.”
Belthoff adds, ”It’s a race against time and the potential for a new, big worm outbreak.”