New Worm Headed Our Way?

Security experts believe it's only a matter of days, if not hours, before someone releases a worm to attack the newly found flaws in Windows.

Administrators and security specialists hoping for a breather now that Blaster has faded and SoBig.F has expired may be in for a long weekend.

The nature of the new vulnerabilities revealed yesterday in the RPC DCOM implementation in Windows is so similar to the one that Blaster exploits that security experts believe its only a matter of days, if not hours, before someone releases a worm to attack the new weaknesses. Even though it infected close to a million machines, experts say the Blaster worm was poorly coded and as a result did not do nearly the damage that a more efficient worm could have done. Blaster easily could be modified to work much better, and because the source code for the worm is readily available online, its likely that someone is already at work on that task.

"It all adds up to a situation where well probably see a worm in the next 24 hours or so," said Jerry Brady, chief technology officer at managed security provider Guardent Inc., based in Waltham, Mass. "This could be worse. It wouldnt take very much—just some very minor changes to the way the RPC connections work or the duration of the connections."

Like the vulnerability that Blaster exploits, two of the three new flaws reported in the RPC DCOM implementation in Windows are buffer overruns that could enable an attacker to run arbitrary code on a vulnerable machine. The flaws affect Windows NT 4.0, 2000, XP and Windows Server 2003.

Although the vulnerability itself isnt found in other operating systems, Brady said that some of Guardents customers had Blaster-related problems on non-Windows systems. Some of the customers problems stemmed from the fact that Unix-based management systems have a hard time handling the volume of RPC requests that were being generated by infected PCs.

"Some of these systems were seeing 15 to 22 times the normal number of connection attempts, which doesnt sound like that much but its still out of bounds for these workstations," Brady said.

Another issue causing concern in the security community is the fact that many of the control systems for utilities such as water plants and nuclear power plants use RPC to link their supervisory control and data acquisition (SCADA) systems to their Internet-connected networks. SCADA systems comprise central controllers and sensors and are used to remotely control complex systems such as power grids and water treatment facilities.

There have been some reports that Blaster played some role in causing the large blackout last month that affected much of the Northeast United States and parts of the Midwest. Brady said he fears that an improved RPC worm could produce far worse results.

"The SCADA systems are not well understood and its such a minor bit of work for the underground to do to modify the worm. The whole connection to SCADA is worrisome," he said.

Discuss this in the eWEEK forum.