Dasher Squirms Through Patched Win2K Worm Hole

More than two months after Microsoft released a high-priority patch for a Windows 2000 flaw, malicious hackers launch a successful attack on still-unpatched machines.

More than two months after Microsoft Corp. issued a critical patch for a Windows 2000 worm hole, malicious hackers are successfully exploiting the vulnerability, confirming fears that patch deployment rates remain frighteningly low.

The latest network worm attack, identified by anti-virus vendors as W32/Dasher, enters through a flaw in the Microsoft Windows Distributed Transaction Coordinator that was patched in the MS05-051 bulletin released in October.

Over the last 48 hours, two variants of the worm have been seen scanning for vulnerable Windows 2000 systems through Port 1025.

If the worm finds a system responding to the port scan, the worm sends an exploit payload that connects to a remote address to wait for instructions.

The worm, which is clearly seeding botnets for malicious use, connects the infected machine to a server hosted in China and downloads two files, a copy of the worm itself and a keylogger, according to F-Secure Corp. researcher Jarkko Turkulainen.

The Dasher keylogger hides itself with a rootkit driver and is capable of hijacking sensitive information from victims machines.

News of the Dasher attack is hardly a surprise. On Patch Day in October, when the fix was released, officials in the MSRC (Microsoft Security Response Center) stressed that MS05-051 should be treated as a high-priority update because it put users at risk of a "remote, unauthenticated attack."

Referring to the recent Zotob attack against unpatched Windows 2000 machines, MSRC program manager Stephen Toulouse warned that the flaw presented "a similar attack vector that could have the same impact as [the Zotob worm]."

"Its hard to predict what will happen, but this is one of those vulnerabilities that could be really dangerous, especially for customers running older versions of the operating system," Toulouse said at the time.

"If youre running Windows 2000, you want to apply this update as fast as possible. The concern is that we could be looking at another Zotob, because the attack vector is the same."

Two months later, it appears that Toulouses fears have been confirmed by Dasher.

Shane Coursen, senior technical consultant at Kaspersky Labs U.S. unit, said the early success of Dasher proves that tardy deployment of patches presents a problem.

"Weve known for the last year that the time between the release of the patch and the creation of an exploit has been getting shorter and shorter, but, at the same time, its taking longer for customers to apply patches," Coursen said in an interview.

/zimages/6/28571.gifClick here to read more about botnet attacks carried by a Trojan virus.

"This attack doesnt surprise me at all because, for a variety of reasons, Windows users are not applying the updates. I dont want to say its irresponsible for customers to take two months to apply a patch because businesses need to test patches properly but, for critical patches that are wormable, theres a certain urgency thats needed," Coursen added.

Sunil James, security manager at Arbor Networks Inc.s Security Engineering Response Team, said businesses need to quicken the pace of patch testing and deployment, because network worms like Zotob and Dasher are using the victimized machines in the attack.

/zimages/6/28571.gifFor advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internets Security IT Hub.

"We know that these kinds of high-profile vulnerabilities are leading to worms and the payloads are becoming more and more dangerous," James said, arguing that concerns about patch quality should not be an excuse to leave networks wide open to attacks that require no user action.

Andrew Jaquith, senior analyst with Yankee Group Research Inc., said some enterprises still make poor choices when it comes to security. "I hear the mantra all the time, Its running just fine so dont touch it. The problem is that its running fine in an unpatched state and is wide open to these types of attacks."

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.