Windows 2000 Exploits Raise Worm Attack Fears

Security researchers have already reverse-engineered the patch for a critical vulnerability in the Win2K operating system. Is a network worm attack like Zotob coming?

Fears of a network worm attack targeting unpatched Windows 2000 systems heightened on Thursday with news that private security researchers have already reverse-engineered Microsofts critical MS05-051 update to create proof-of-concept exploits.

The MS05-051 bulletin, which shipped as part of Microsoft Corp.s October batch of patches, includes fixes for four different Windows flaws, one of which is considered a major worm hole in the enterprise-heavy Windows 2000 operating system.

That bug, an unchecked buffer in the MSDTC (Microsoft Distributed Transaction Coordinator), could be exploited by a remote unauthenticated user to take complete control of an unpatched system.

"That one is really easy to exploit," said Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security, the private research outfit that discovered and reported the vulnerability to Microsoft.

"We are definitely going to see dangerous exploits for it because its not really technically challenging to write the exploit code," Maiffret said in an interview with Ziff Davis Internet News.

"Whether we see a worm or not will depend on whether anyone wants to write a worm. If someone wants to unleash a worm, its really not that hard with this vulnerability," he added.

Already, the underground chatter is triggering fears of an attack like the Zotob worm that crippled some big-name companies—CNN and the New York Times included—that were tardy in applying the patches released in August.

Immunity Inc., a vulnerability research company with a handful of employees, has already reverse-engineered Microsofts patches to create proof-of-concept exploits for three vulnerabilities, including one for the MSDTC flaw.

Immunity chief executive Justine Aitel said the proof-of-concept has been released to IDS (intrusion detection companies) and larger penetrating testing firms as part of a partner program that shares up-to-the-minute information on new vulnerabilities and exploits.

/zimages/4/28571.gifClick here to read about how Microsoft handled the Zotob worm.

"Typically, our partners have access to our research as we produce it. Like a lot of researchers, we focus on Patch Tuesday and, as we produce our research, we make those available to partners. In this case, we created an early-stage exploit and released that into the program," Aitel said in an interview.

"The minute Microsoft released the bulletins, we focused on creating proof-of-concepts for our partners and customers. Were still working on the reliability of that exploit before we distribute it to our CANVAS service," Aitel said.

She corrected a diary entry by incident handlers at the SANS ISC (Internet Storm Center), making it clear that the distribution of the exploit was limited to the partner program and not the CANVAS product.

Aitel also stressed that theres a "big difference between a proof-of-concept and a reliable exploit."

"Theres a huge difference between something capable of crashing the victim machine and something that exploits the bug 100 percent of the time. We know the [proof-of-concept] we release can exploit the bug, but turning that into something reliable is something we have to keep working on," she added.

The SANS ISC also warned of "non-specific exploit warnings from managed security service providers."

Officials at the MSRC (Microsoft Security Response Center) said they plan to monitor the mailing lists and underground chatter to determine whether a worm attack is imminent.

/zimages/4/28571.gifRead more here about the Microsoft Security Response Center and how it operates.

If Redmond believes the proof-of-concepts circulating can be redeveloped into a working exploit, the company could issue a security advisory with pre-patch workarounds and other mitigation guidance.

Just before the Zotob attack in August, the company used that mechanism to beat the drum for customers to download and apply the available patches, and its likely that an advisory could be released some time Thursday or Friday.

Russ Cooper, senior information security analyst with Cybertrust Inc., is downplaying the risks. "Systems which are vulnerable to a MSDTC worm are wide open to the Internet, not blocking ports [at least] above 1024. Doesnt matter whether they are, or are not, listening on 3372," Cooper said.

"Such systems are ripe for attack of all sorts anyway. If theyre vulnerable to this, theyre already hosed. A worm is not going to get any more legs than Zotob did, and in fact, such a worm will get less legs as the attacker tries to figure out which of the higher ports MSDTC is actually on," Cooper added.

The message from Microsoft is for Windows 2000 users to treat MS05-051 as a high-priority update.

"[We are] aware that exploit code for the vulnerabilities addressed by Microsoft security bulletin MS05-051 is available through third-party fee-based security offerings. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time," MSRC program manager Stephen Toulouse said Thursday.

He said Microsoft would actively monitor the situation to keep customers informed and to provide customer guidance as necessary.

"Currently this exploit is not publicly available, but we continue to urge customers on older versions of our operating systems to deploy MS05-051 to help protect from attempted exploitation," Toulouse said.

"The MSRC is constantly monitoring the threat environment for any malicious activity. We are keeping an especially close eye on the newsgroups and vulnerability lists for exploits related to this months activities and will mobilize immediately to help protect customers against threats as necessary."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.