Sunday, October 24, 2021

Warning Goes Out of New Worm Lurking Nearby

Security analysts are warning it’s inevitable that a worm is released in

the wild to attack users through the newly discovered vulnerabilities in Microsoft’s

Windows.

”I think it’s just a matter of time,” says Steve Sundermeier, vice president of products

and services at Central Command Inc., an anti-virus and security company. ”We’re all gearing

up for it. It’s definitely going to come. We’re going to see a new worm.”

Microsoft Corp. announced this week the existence of three recently found flaws in Windows

RPC protocols. Two of the flaws are eerily similar to the RPC vulnerability, discovered this

summer, that led to last month’s release of the Blaster worm, which quickly spread across

the world, clogging up corporate systems, sucking up bandwidth and ultimately trying to

launch a denial-of-service attack on a Microsoft Web site.

These new vulnerabilities include a denial-of-service flaw and two buffer overruns. The

flaws allow a remote attacker to take control of an infected computer, downloading files,

destroying information or using that computer to attack other computers.

The new vulnerabilities offer up a temptation that security analysts think worm writers

won’t be able to resist. With the original Blaster code laying the developmental groundwork

for a second wave of attacks, much of the hard work is already done.

”These new vulnerabilities are close cousins of the RPC vulnerability that was first

published in July,” says Chris Belthoff, a senior security analyst with Sophos Inc., an

anti-virus company based in Lynfield, Mass. ”It’s a very close variant of the vulnerability

that the Blaster worm was written to exploit. So the expectation is that we’ll see the Son

of Blaster or Blaster Junior — a worm or multiple worms that take advantage of the

vulnerability.”

And Belthoff says with the original Blaster code out there, it would be quick and easy for a

virus writer to whip up a damaging knock-off that would exploit the new vulnerabilities.

That means the new worm could literally hit within days or even hours.

”It could come at any time now,” adds Belthoff. ”It wouldn’t surprise me if something is

seen in the next few days. It’s certainly possible. Since this vulnerability is so similar

to the one the Blaster worm exploited, it’s not a huge development task to write another

worm to exploit this vulnerability.”

Belthoff also notes that the first Blaster, though it crashed some systems because of a flaw

in its own coding, didn’t wreak much damage on the infected computers. Blaster was largely

geared to cause trouble for Microsoft by launching a DoS attack against the Web page that

enabled users to download the patch.

Users may not be so lucky with the next worm, which could be far more damaging to the

infected computers.

But Central Command’s Sundermeier says the infected machines are too valuable to the worm

writer to damage.

”Sure, the hacker has the ability to download code of his or her choice and that code could

be malicious to the infected computer,” he explains. ”But if he causes significant damage

to that machine, then that machine is taken out. If they’re going to launch a DoS attack,

they won’t want to take down machines that they actually need.”

Sundermeier adds that there’s a positive side to a new worm hitting so soon after Blaster.

”Blaster is still in people’s minds,” he says. ”Our saying is ‘What is soon learned is

soon forgotten.’ But this is so close to the original Blaster, that may not be the case

here. But people shouldn’t think that just because they are patched for Blaster, they’re

patched for this one.”

MJ Shoer, president and CTO of Jenaly Technology, Inc., a Portsmouth, N.H.-based outsourced

IT firm covering businesses in New England, says he’s been busy making sure clients’ systems

are patched and updated.

”Everybody needs to be patched. That’s what it boils down to,” says Shoer. ”We’re making

sure firewalls are tight and anti-virus is up to date. We’re just checking all the

exposures.”

Shoer says when it comes to making sure a system is patched, the biggest vulnerability to

the corporate network is the mobile user. Many corporate administrators push patches down to

individual desktops and laptops that are connected to the network. If a worker has been on

the road, simply dialing in from slow hotel connections, they’re not likely getting the

patches and security updates they need.

Shoer adds, ”We’re aggressively watching all the points of exposure.”

Similar articles

Latest Articles