Hackers Circulate New Code For Exploiting Windows

The code targets systems that haven't been patched against the flaw in Microsoft's Abtract Syntax Notation 1 (ANS.1) library, a vulnerability which was discovered in July 2003 by eEye Digital Security, but made public a week ago Tuesday.

First found on Saturday, Feb. 14 -- just four days after the vulnerability was disclosed -- the exploit code is fully functional and can crash compromised Windows machines, said Ken Dunham, the director of malicious code research for iDefense. By Tuesday, iDefense had spotted three separate exploits for the ANS.1 vulnerability, all of them widespread on multiple discussion groups and hacker Web sites.

"The widespread distribution of this new exploit code has significantly increased the threat level for ASN.1 possible attacks," said Dunham. "It's far more likely that we will soon see hacking, Trojans, and worms emerge against this vulnerability now that exploit code is widely available."

Although most large companies have already started to roll out patches for the ANS.1 vulnerability and should wrap up the chore this week, there will still be countless targets for the exploit code, said Dunham.

The exploit code causes the Microsoft Local Security Authority Subsystem process, run by LSASS.exe, to crash. It can be sent via Server Message Blocks (SMBs) or NetBIOS sharing protocols listening on ports 445 or 139.

According to Dunham, the existing exploit code only aims to conduct denial-of-service (DoS) attacks against targeted sites and companies. At least one major company suffered attack this weekend, he said, although he declined to name the firm or its Web site.

But while there's the possibility that these exploits may be automated into a worm that can carry out even broader attacks on ANS.1-vulnerable systems, Dunham said that isn't likely.

"We might see a significant worm come out, but writing one is more difficult than, say, MSBlast," he said. "We see the same evolution as in MSBlast, but it'll be tougher for hackers to create the code that leads to a worm or a Trojan horse."

Instead, he sees the exploit code as the forerunner to a new wave of DoS and backdoor attacks.

The fast appearance of exploit code for the ANS.1 vulnerability is yet more proof of an increasingly sophisticated hacker community that reacts within hours, or at most days, to a new vulnerability.

"The increases in experience and coordination on the part of attackers towards rapid exploitation are dramatic," he said. "If we would have said ten years ago that you'd see this level of attacks, your mouth would have dropped open and you would have said that's all Hollywood stuff."

The continued spikes of vulnerabilities and associated attacks will continue, and thanks to the trend of putting out source code for existing worms -- as well as the recent leak of Windows source code to the Web -- likely get worse, he added.

"The large number of vulnerabilities, and the availability of exploit code and worm source code and Trojan source code, as well as the editing of [hacker] tools, give them all the keys they need for rapid exploitation.

"Bottom line, they're getting more efficient exploiting vulnerabilities," Dunham said.

*This story courtesy of Techweb.com.