|
Worms Exploiting Windows Server Service Vulnerability
Published: August 16, 2006
by Alex Woodie
New worms are making the rounds of the Internet, infecting Windows computers, and launching denial of service attacks following last week's release of security patches by Microsoft. While Windows users who have applied the patch for the critical vulnerability in question--MS06-040--are protected, the patch has yet to be downloaded and installed on millions of PCs around the world, providing a lucrative window of opportunity for malware writers and hackers.
Last Tuesday, Microsoft issued a large number of patches to fix security problems affecting a wide swath of its products (see "Microsoft Fixes 23 Security Vulnerabilities with 12 Patches").
Immediately, one of the nine critical security problems stood out--the buffer overflow vulnerability in the Windows Server Service facility in Windows Server 2003 Service Pack 1, Windows XP SP2, and Windows 2000 SP4, which is corrected with the patch MS06-040. This vulnerability poses a higher risk because it does not require any user interaction for an attacker to exploit the problem and take complete control of a system.
When Microsoft issued patch MS-040, the company had already learned that exploit code for this vulnerability was available on the Internet. Following the release of the patch, word spread quickly among the hacking community, and before long, malware writers had utilized the available exploit code to retrofit an older worm to take advantage of the newly reported vulnerability, and at least one new vector created for bad purposes, too.
Antivirus vendors gave the worms, which also use the backdoor-access features of a Trojan Horse, different names. Symantec called the threat W32.Wargbot, Trend Micro dubbed the worm Worm.IRCBOT.JK/JL, McAfee called it IRC.Mocbot, F-Secure refers to the worm as IRCBOT-ST, and Sophos calls it W32/Cuebot-L. Microsoft also refers to a worm called Graweg, which it says mainly affects Windows 2000- and Windows XP SP1-based PCs.
The worms propagate in several ways, including via infected e-mail attachments, infected network shares, and through infected Web sites that the worm sends links to using the victim's AOL Instant Messenger buddy list. Once a user becomes infected with the worm, it installs itself to the system, modifies several security settings (including the firewall), and attempts to connect to remote Internet Relay Chat (IRC) servers, which are located in China, according to LURHQ, a security software and service provider based in Illinois and South Carolina.
The worm then starts listening for commands from a remote hacker, including execution of arbitrary code, or participation as a bot in a distributed denial of service (DOS) attack. The changes made to the system are so extensive that users must completely wipe their hard drives and reinstall their operating systems--or, as the SANS Institute so succinctly put it, "nuke it from orbit."
The threat posed by the Server Service Vulnerability is so great that the U.S. Department of Homeland Security last week posted a bulletin recommending all Windows users apply the patch immediately--the first time the DHS has made such a recommendation. The Server Service Vulnerability was given the highest threat rating (10 out of 10) by the Department's U.S. Computer Emergency Readiness Team (US-CERT), and was the subject of two security advisories last week.
Antivirus vendors disagreed on the risk posed by the worms. Symantec attributed a high threat rating, F-Secure gave it a threat level of two (out of three), while McAfee said one of the worms posed a low threat to corporate and home users. Despite the differences of opinion, all antivirus vendors recommended users apply MS06-040 immediately.
Sophos said on Saturday to expect more worms. "There will be many Windows computers that will not have been patched yet and may be vulnerable to infection and compromise. We wouldn't be surprised if more worms were released which exploited this security hole in Microsoft's software," says Graham Cluley, senior technology consultant for Sophos.
The episode also reflects badly on Microsoft and its effort to secure its operating system. "This is a real headache for Microsoft as they try and reassure people that their operating system is becoming more secure," Cluley says.
Microsoft, in its Microsoft Security Response Center Blog!, downplayed the issue somewhat by saying that the attacks are relatively contained, that they are tapering off, and that they mostly affected Windows 2000. "However," writes Adrian Stone in the Blog!, "we are in no way underplaying the severity of the vulnerability addressed in MS06-040: We continue to urge customers to deploy and test the update with a heightened sense of urgency."
To maximize the distribution and impact of its patch, Microsoft throttled down some of the other updates and focused its servers on getting out MS06-040. In some cases, this forced some Windows Update users to have to run the update twice to get the remainder of the updates. The moved seemed to work, to an extent: In the first 30 hours following the availability of the patch, it was downloaded more than 100 million times, or almost 3.5 million per hour, Microsoft says.
To put those downloads in perspective, more than 850 million PCs have been sold since 2001, according to the Computer Industry Almanac. Assuming that most of those are Windows machines, it would take about 10 days to patch all the PCs at that rate. This wide window of opportunity, coupled with the certainty that there are more Windows vulnerabilities that we don't know about, is why malware writing is a growth business, and will continue to be for the foreseeable future.
|
