Worms hit right on schedule

Editor's note: Over the weekend, after Rob wrote this column, Sasser.a and Sasser.b hit the Net--hard. Click here to find out more about the worms and what you can do to protect yourself from them.

The clock is ticking. A new, and possibly nasty, Internet worm is almost certainly coming. How do I know? Every time Microsoft releases new security patches, it's just a matter of time until some crook reverse engineers them to find the original vulnerability. So I thought it would be interesting to explore the entire process, from patched vulnerability to final worm. I'm doing so not to facilitate another worm (believe me, criminal hackers, or crackers, already know how to do all this), but this way, should one hit, we've all had plenty of warning.

I'm going to start with something I call the Eschelbeck Theory, named after security expert Gerhard Eschelbeck, of a security company called Qualys. His research shows that half the vulnerable systems in the world get patched within the first 30 days after a vulnerability patch announcement. Toward the end of that same 30 days, someone inevitably releases a virus or worm to exploit the unpatched systems. It's this latter phase that I want to discuss this week.

Microsoft hits a bad patch
On April 13, Microsoft released its April Security Bulletin. In it were four patches designed to fix 20 vulnerabilities in all versions of Windows. At first blush, it appeared that Microsoft put time and care into researching the underlying issues and patching everything at once rather than giving a piecemeal solution.

But I should have known better than to praise Microsoft for its latest security patches. Shortly after I wrote my column, several system administrators reported serious trouble with MS04-011. Although I qualified my enthusiasm throughout the column, my general thrust was that the patches were safe. Microsoft has since released a knowledge base article, 835732, that identifies various problems with the patch and offers solutions or workarounds. So far, most home users have not reported problems with the four patches.

What's ironic is that this one patch, MS04-011, remedied some 14 individual vulnerabilities, including flaws in major protocols of the Internet, such as Secure Sockets Layer (SSL), Abstract Syntax Notation 1 (ASN.1), and Local Security Authority Subsystem (LSASS). Already, some of these MS04-011 vulnerabilities have exploits floating around the Internet. How did they get there? Let me explain.

The life cycle of a typical Microsoft flaw
Here's how a typical Microsoft flaw gets converted into a worm. Last June, eEye found a flaw in RPC DCOM and notified Microsoft, who then patched the flaw on July 17. By the time I was attending Black Hat Briefings in Las Vegas, two weeks later, crackers had released several RPC DCOM exploits on the Internet, and security experts at the conference were trying them out, seeing what the exploits would do. Two weeks after that, a cracker took one of the exploits and created what we now know as the MSBlast worm.

We're now a couple weeks out from the Microsoft April Security Bulletin announcement. Already, there's a new exploit for SSL vulnerability on IIS servers. And it appears that Phatbot (a Trojan) is now exploiting the LSASS flaw. But despite the Eschelbeck Theory, don't expect a new worm tomorrow morning. For one thing, an exploit for the ASN.1 flaw has been known since February, and no worm ... yet.

One reason for the delay is that crackers first use a given exploit for their own benefit, such as compromising a few target systems worldwide for theft or other purposes. Only when they are done will they use the exploit as the basis of a new worm.

Thwarting the next superworm
This time around, however, the effects of any new worms might be stunted. In recent days, VeriSign, which signs certificates used in SSL transactions, has been alerting businesses to patch their Windows systems against the SSL and LSASS flaws. The action is based on increasing SSL traffic being on port 443 worldwide, perhaps a sign that criminal hackers are using the new SSL exploit for their own deeds and will soon release a full-blown worm. It is VeriSign's hope that proactive patching will blunt the effects of any pending superworm.

Someday, the Eschelbeck Theory will be a footnote in history. Until then, each of us will need to follow VeriSign's lead and take the time to secure our computers as soon as possible. By reducing the number of vulnerable machines in the world, we also diminish the impact any virus or worm will have; then maybe crackers will move on to other pastimes.

• Related stories

• Alerts

Add your opinion

Hey, Linux can get hit by worm ...Anonymous -- 04/05/04

Hey, Linux can get hit by worms too, but yet, it suffers less than 1% of the worm infestations compared to Windows.

And it's got nothing to do with the percentage of systems out there. Linux has over 35% of the global Internet server market, for instance...

Perhaps Linux really is more secure than Windows?

• Reply to comment
• Reply to story
• Report offensive content

It's desktop pc's that are pri ...Anonymous -- 04/05/04

It's desktop pc's that are primarily being infected by these worms... not server systems. Your assertion that Linux is more secure based on 35% server market penetration is a joke. Servers are generally protected by firewalls limiting all but the most critical services through, whereas desktop machines are left unpatched by the masses of clueless users out there. Coupled with the fact that a vastly superier number of people are actually trying to exploit weaknesses in the Windows system as opposed to Linux, and you have a very weak argument indeed. All systems can be equally secure if the right knowledge is applied.

• Reply to comment
• Reply to story
• Report offensive content

The comments about security he ...Anonymous -- 07/05/04

The comments about security here come down to three things.

1. How many open ports (or other connection mechanisms) does a machine open?

In simple terms, the greater the number of open ports, the greater the probability that some flaw will exist. Therefore, a system that has no open ports (which is what most home users connected only to the Internet really need) is completely secure (assuming only that the actual networking layer itself has no buffer overrun vulnerabilities, which should be a given, given the age of TCP/IP).

2. How easy is it to control which ports are open?

Most Linux systems only open ports when a service relating to that port is explicitly enabled. As distributions have become more "desktop-oriented", the Linux distibutions have started enabling more services by default, steadily decreasing their security (in agreement with the point). However, Linux distributions generally have very straightforward ways of controlling these services and of checking what services are "advertising" to the network.

By contrast, Windows has had default installations opening many different ports for many years. Further, trying to find out what is opening a port and figuring out how to stop it running has been quite a difficult task under Windows. Happily, it looks like Microsoft are learning though and that WinXP SP2 is taking steps towards making it easier to control services, block ports and trace who is opening ports

3. The dangers of single platform

The worst situation possible in the world would be that everyone were running a single operating system. Then, any vulnerability would have the potential to bring the entire world to its knees. As network administrator where I work, I try to keep our network as diverse as possible. This way, if a vulnerability allows something into our network, it is unlikely that "everyone" will be compromised.

The best situation possible would be lots of operating systems talking over a non-proprietary protocol that was in the public domain. This allows open review, easy comparison and an ability to resist broad attacks.

On this vein, the moves by Microsoft (through patents) to ensure that nothing except Microsoft software can interoperate with their next generation of servers is nothing short of terrifying. Should they be successful, we could have the world crippled by a single worm.

The other point (relating to the first submission) that has always had me stroking my beard and wondering is the fact that practically every embedded networking device (such as an Internet router, FireWall, etc.) is based on a Linux or BSD kernel.

Of equal note is the fact that when Microsoft decided that they needed to start using non-proprietary protocols (the Internet sort of forced this on them), they used a considerable amount of existing BSD code. Read this whichever way you want...

• Reply to comment
• Reply to story
• Report offensive content

• Just In

• Most Popular

• Most Discussed

Reader Services

Popular Topics

Essentials