New Windows Worm on the Way?

With the posting Wednesday of proof-of-concept exploit code for one of the newly discovered vulnerabilities in Windows, the familiar chain of events that often leads to the release of a worm has begun.

The cycle began Tuesday when Microsoft Corp. released its monthly passel of patches, including one for a flaw in the Workstation service in Windows 2000 and XP. A successful exploitation would give the attacker complete control of the compromised PC, Microsoft said.

Less than 24 hours after Microsoft issued the fix, two members of the BugTraq security mailing list posted exploit code for the vulnerability. The author of one of the exploits said the code had been tested only on a Windows 2000 machine with Service Pack 4 installed and the FAT32 file system running. The other exploit is designed for machines running Windows XP. However, experts said it would take little effort to adapt the code for other Windows machines.

And, more importantly, the Workstation vulnerability appears to be a prime candidate for a worm.

“It definitely has worm possibilities. The Workstation service is on by default and in non-firewalled environments its wide open,” said Scott Blake, vice president of information security at BindView Corp., based in Houston, Texas. “Especially in broadband environments, this is a candidate to run rampant.”

The worm outbreaks of the last two years generally have followed a kind of loose pattern in which the vendor or a researcher discloses the vulnerability, followed closely by the release of the patch. Then comes the mad scramble to patch vulnerable systems before someone drops exploit code onto one of the mailing lists or underground Web sites. Then, in Act Three, the code is used as the basis for a worm, which then plows through the Internet with varying degrees of success.

This pattern was established when Code Red hit in July 2001, and essentially has remained unchanged through the appearances of Nimda, Slammer, Blaster and a handful of minor worms. What has changed is the amount of time that elapses between the release of the patch and the appearance of the worm.

This window has been closing rapidly in the last year or so, meaning that administrators have less and less time to update their systems before trouble arrives. Despite some similarities in most of the major worms of recent months, experts say there seems to be no rhyme or reason to which vulnerabilities crackers end up attacking with worms.

“Its a hit-or-miss proposition,” Blake said. “We havent yet figured out a way to predict which ones will be worms.”

Discuss This in the eWEEK Forum