April 30, 2004 2:34 PM PDT
Worm warning intensifies
- Related Stories
Alarm growing over bot softwareApril 30, 2004
Worm worries grow with release of Windows hacksApril 28, 2004
Microsoft warns of a score of security holesApril 13, 2004
MSBlast epidemic far larger than believedApril 2, 2004
Witty worm frays patch-based securityMarch 26, 2004
Damage controlFebruary 6, 2003
Security companies are urging clients to patch their Windows systems, as concerns heighten that an MSBlast-like worm could be released as early as this weekend.
The exploit code has been integrated into remote attack software known as bot software, a move widely considered to be the penultimate stage in a code's engineered evolution from simple script to full-blown worm.
As previously reported, the worries are driven by the release of several effective programs for exploiting a widespread vulnerability in a security function of Windows, known as the Local Security Authority Subsystem Service, or LSASS. The programs, known as exploit code, have also been integrated into remote attack software known as bot software, a move widely considered to be the penultimate stage in a code's engineered evolution from simple script to full-blown worm.
On Friday, network protection company Lurhq released an advisory to its clients, saying there was a "high probability that a worm may be released in the next 24 to 48 hours."
Security company Symantec has also warned customers that attacks that exploit the LSASS vulnerability are climbing. On Thursday, the company informed clients that two of its "honeypot" servers--computers that aren't used for business but to attract malicious programs and detect new threats--had been compromised by bot software within minutes of each other.
Bot software has already compromised a large number of computers, surreptitiously turning those systems over to the control of the attacker and making them the attacker's "bots." Because of the scope of the attacks, Huger said that companies should not look at worms as the greatest threats.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"I would say the bot networks are as dangerous or more dangerous than worms," he said. "We are telling our clients not to defend against an expected worm but to patch." That way, they are protected against both dangers, he said.
Microsoft has confirmed the reports of code designed to exploit LSASS and requested that all clients update their software. The patch will also protect against another issue that affects the security features of Microsoft's Web server software.
Though many security companies have warned customers of the potential of an LSASS-related worm, the Lurhq release is perhaps the most forceful advisory to date.
Symantec's Huger said he thought a worm would likely be written, but he didn't predict when it might appear. Craig Schmugar, a senior antivirus researcher with security company Network Associates, said that though the Lurhq release involves a likely scenario, the company may have turned the volume up a bit too high.
Get the patch
Read Microsoft advisory
MS04-011 and apply
"I guess they are trying to stress the criticality of the situation," he said.
Joe Stewart, senior security researcher with Lurhq, said part of the impetus for the advisory is the history of the last few major worms. Both the Witty worm and the Slammer worm were released on a Friday. The MSBlast worm, however, was likely released on a Sunday.
"If there is ever a time that they like to release a worm, it's Friday night after every admin has gone home," Stewart said. He added that the company wanted "to give our customers a greater sense of urgency to patch" their systems.