Exploits Discovered For Windows Flaw, Experts Expect Worm 'Any Day'

The first such source code was identified Tuesday by a pair of security firms, iDefense and Counterpane Internet Security, while additional, and less threatening, code was spotted Wednesday by iDefense.

The newest RPC DCOM problems in Windows, which were disclosed by Microsoft a week ago, are potentially dangerous because they involve nearly every current edition of Windows, including Windows Server 2003, and because they are almost identical to the vulnerabilities that were exploited by the MSBlaster worm in August. Last month, MSBlaster roared through the Internet and infected more than half million systems worldwide.

"A new Blaster-like worm could be created in a matter of hours or days now that exploit source code has been posted in the underground," said Ken Dunham, an analyst with iDefense. "All a hacker has to do is copy the new exploit to the Blaster worm, do a little bit of editing, and you have a new Blaster."

Bruce Schneier, chief technology officer and founder of Counterpane, agreed. "I expect that any day someone will drop this exploit into a new worm. Just pull out the old code, drop in the new, and you're done."

The exploit code found yesterday on multiple hacker sites would allow an attacker to obtain authenticated access to RPC DCOM vulnerable computers, which then opens the system to all kinds of mischief, including identify or password theft, deleting files, and initiating a denial-of-service attack. Options within the code enable an attacker to specifically target either Windows 2000 SP3 and SP4, said Dunham.

Already, iDefense has reliable evidence that the exploit code had been used by known Trojan horse authors to infect "several hundred" machines world-wide.

"We expect to see an even larger number of machines Trojaned," said Dunham.

The next step, if this exploit follows the pattern laid down by MSBlaster, would be the release of a worm that spreads automatically over the Internet, infecting thousands of Windows PCs hourly. "I think it's only days before we see a worm," said Dunham.

The most likely vector of a new worm into corporate networks will be laptop workers bringing unpatched machines to the office, according to Counterpane's Schneier. "It has to get through the firewall," he explained. In its security bulletin, Microsoft has recommended blocking unused ports to stymie possible exploits of the vulnerabilities. Most enterprises can deflect an exploit, say a new worm, at the firewall, even if they haven't yet managed to patch all the vulnerable PCs.

Wednesday, iDefense discovered source code for a second exploit, said Dunham, one that initiates a denial-of-service (DoS) attack on vulnerable systems. However, he characterized this new code as less dangerous than the exploit uncovered Tuesday.

Even so, there's already evidence that Chinese hackers are working on new tools that would expand the original exploit to make it usable against Windows XP machines, he said.

From the day that Microsoft released patches for the new vulnerabilities -- which lie in the portion of the Remote Procedure Call (RPC) Distributed Component Object Modeling (DCOM) interface within Windows -- security experts voiced concerns that the flaws would certainly be exploited by new worms.

"It's gone from you really should install the patch, to look, the exploits are here," said Schneier.

Schneier took Microsoft to task for the continuing problems that plagueWindows users. "They make it sound like worms are like the weather ... unavoidable," he said. "But a vulnerability is a mistake."

An attacker who takes advantage of that mistake is, of course, culpable, said Schneier, but so is Microsoft.

"If you have a faulty door lock and someone breaks in, the locksmith who sold you that lock has some culpability, even if the burglar took advantage of the [broken] lock. If you're sold a faulty lock, you're gonna go to the locksmith and say what the-" Schneier said.

"Microsoft has at least part of the blame here, certainly more than they're willing to accept.

"I'm just tired of their empty promises," he concluded.

This story courtesy of TechWeb.