Where's MSBlaster II? Worm Writers Lying Low
No such worm appeared. What gives?
"We saw a highly functional binary that exploited Microsoft 2000 and evidence of tools that would allow an attack on Windows XP," said Ken Dunham, an analyst with security firm iDefense, and one of those who claimed that a so-called MSBlaster II worm was imminent. On further analysis, it turned out that the code was buggy, and didn't always work.
"It's hard to predict what's out there," Dunham said in defending the announcement of an imminent MSBlaster II worm. "But [security firms] do understand trends. We have a good understanding of the hacker underground, and we were seeing a ton of activity on the 039 vulnerability. We really thought that something was going to happen."
Another of the security experts who said that another MSBlaster worm might show up soon was Bruce Schneier of Counterpane Internet Security.
"So far we're lucky," he said. "But this stuff is all random. Worms are created by the kind of guy who when he doesn't have a date, writes a worm.
"It's a judgment call," Schneier said, in talking about whether to make an announcement or keep quiet. "You're right, people get complacent," when you make constant announcements, "but the real problem is that there are so many patches and vulnerabilities. You just do the best you can."
Dunham defended the practice of blowing the whistle on possible worms. "Getting the news out has a side benefit of getting a lot of people to update, people such as home users and small businesses who don't normally update regularly. It helps protect a lot of computers against vulnerabilities."
Other security experts agreed that spreading the warning about a potential new worm was the right thing to do. At least in this case.
"They were absolutely correct, and would have been remiss if they hadn't," said Alfred Huger, the senior director of engineering at Symantec's security response center. "Unfortunately, we don't always nail a [time] window on an exploit," he explained.
Although there's a danger of destroying credibility in the long term by 'crying wolf,' Huger noted that there's a very fine line between disclosing that an exploit exists and saying nothing. Security firms can get slammed either way.
"Security vendors have to be remarkably careful [about disclosing information], but in this case, it was based on pretty solid information."
It may be that worm writers are playing possum, spooked by recent arrests in both the U.S. and Romania of men charged with writing variants of the original MSBlaster. Dunham and Huger said that these arrests might well be the reason why a new worm hasn't shown.
"The people who create worms are lying low," Dunham said. "When worm authors are quickly prosecuted and held accountable, that impacts development. They're thinking, 'It's just not worth it if I'm going to jail.'"
"I think they saw the arrests and decided writing a worm wasn't worth the trouble," Huger agreed.
Not that there isn't plenty of hacker activity related to the second RPC DCOM vulnerability in Microsoft Windows. That vulnerability goes by the Microsoft-assigned moniker of MS03-039.
"We're still seeing hard evidence that a significant number of computers have been infected by Trojan horse authors exploiting the 039 vulnerability," Dunham said. "They're still targeting computers that are vulnerable."
The behind-the-scenes activity is both different, and possibly more dangerous, than an actual worm, Dunham said.
Trojan horse authors can very quietly and covertly attack systems with the intention of remotely controlling them, then use that access to steal confidential information from compromised machines. Their motivation differs from that of worm authors, who simply want to see the Internet disrupted on a massive scale.
But even though another MSBlaster hasn't struck, that doesn't mean users should be complacent, Dunham said.
"Trojan horse authors are continuing their attacks," he said.
This story courtesy of TechWeb.