Windows Attack Code Surfaces, Foretells Worm

Early warning last week about increased signs of a possible superworm in the making may have slowed down a new attack on the Internet. But evidence continues to grow, according to a VeriSign (Nasdaq: VRSN) security officer, of a major new denial-of-service attack to be mounted from thousands of already-infected computer systems.

Charles Kaplan, MSS information security officer for VeriSign, told TechNewsWorld yesterday that a new worm with marching orders for some major Internet activity should be evident within the next few days.

"I thought it already would have happened," Kaplan said. "It's a waiting game to see if someone will inject the code that is now available."

He said the amount of abnormal Internet traffic continued to run very high through the weekend. VeriSign has been tracking this activity on its customers' computer systems around the United States since just before last weekend.

Early recognition of troublesome activity has given IT departments time to apply patches announced by Microsoft (Nasdaq: MSFT) last week to protect against the ASN.1 and LSASS buffer-overflow vulnerabilities in Windows machines.

"Attention on the potential new worm is much more focused now," Kaplan said, citing this as the main reason prevention should be more successful than it was for previous DOS attacks.

Impact Will Be Lessoned

The increase in suspicious activity through the week had Internet security experts bracing for what some analysts warned could be the next big worm attack worldwide. Virus monitors spent the weekend watching an increased level of activity that experts said could be the start of a Blaster-like or Slammer-like attack.

Kaplan said that just because nothing has happened yet doesn't mean the threat is over. He is still confident that something big will happen. The attack probably won't move as rapidly as the Blaster or Slammer worms, he said -- but what the new worm will lack in speed, it will make up for in durability.

Continued access to peer-to-peer networks allows attack masters to transfer much bigger files to and from compromised computers. New attack codes can remain dormant until updated instructions have achieved the desired level of distribution.

"I can't believe that nobody will be taking advantage of this in the next few days," Kaplan told TechNewsWorld. He likened the temptation to that of a kid set loose in a candy store. "Somebody is going to eat that candy," he said.

Disturbing Progress

Kaplan said engineers monitoring VeriSign customers' computers documented a spike in volume starting April 16th. That activity involved numerous probes checking for computers that already had a back door opened from a previous vulnerability. Engineers succeeded in uncovering portions of the DOS code.

By last Thursday, engineers found that DOS code posted publicly on many well-known hacker Web sites.

Mikko Hyppönen, director of antivirus research at F-Secure in Helsinki, Finland, told TechNewsWorld earlier in the week that there is cause for alarm. At that time, he said he expected a Blaster-like RPC worm to emerge within the next two to three weeks.

Spot data checks on port 443 traffic at clients' computers all week continued to show an alarming increase in volume, according to Kaplan.

VeriSign monitors network traffic on popular service ports (such as port 25, which is typically used for e-mail; port 80, which is typically used for Web traffic; and port 443, which is used for SSL transactions) and records aggregate data every hour. Kaplan said VeriSign uses this historical trending to develop models of what traffic on the Internet looks like during both normal and hostile times.

"We focus a great deal of engineering resources studying the transitional period between these two states. The better the model we can build around this, the more likely we can provide early warning," he said.

Worst Yet To Come

Kaplan said he is certain some type of widespread new worm will be released this week. All indications are that the worm will specifically exploit the SSL vulnerability.

But if the worm is limited to an SSL exploit, it won't reach the critical mass attained by Slammer and Blaster, according to Kaplan. Those two worms were so much trouble because they impacted server and desktop systems alike. The SSL vulnerability will, for the most part, only affect servers, so the number of vulnerable systems is significantly reduced.

But don't let that give you a false sense of security. Kaplan said systems compromised by an SSL worm might become "owned" by underground groups that frequently build large "bot nets" of such systems and then use them in coordinated attacks.