Digg this story   Add to del.icio.us  
Waiting for the Worms
Tim Mullen, 2003-07-21

The hole's been announced, the patch has been released. Now there's nothing to do but wait for the worm to come and wreak its ugly havoc.

"Sitting in a bunker, here behind my wall, waiting for the worms to come. In perfect isolation, here behind my wall, waiting for the worms to come."

Strangely apropos, this Pink Floyd lyric reflects the current mindset of many security-folk given the latest announcement of a critical vulnerability in most Microsoft Windows operating systems.

The Last Stage of Delirium Research Group gave surprisingly little detail of a buffer-overflow condition in the RPC interface to DCOM, which listens by default on installations of Windows NT, Win2k, XP, and even Win2k3 Server.

This thing has "worm" written all over it.

In fact, I'll go out on a limb now and make the call that we'll be seeing worm activity exploiting this vulnerability by Christmas of this year. And though I won't be the one to discover it, I'd like to take this opportunity to one-up the boyz at eEye and give this critter a name now: "Mescaline."

I think it's a great name-- it covers the LSD angle and the whole "Window to the Mind" metaphor. And not that I admit to any knowledge of the effects of phenethylamines, it also supposedly gives one keen powers of introspection.

And that is just what you'll need if you get infected by Mescaline when it finally hits the Internet.

Why? Because you'll have to answer questions like "why did our routers and firewalls allow port 135 in?" and "why were our machines still not patched after six months?" It will be the same list of questions those hit by Slammer asked themselves.

But to be fair, this will be a bit different than Slammer. For one, the published vector is TCP 135, and Slammer used UDP. The worm connected-and-infected in a single packet.

Mescaline will have to establish TCP sessions to spread, which will make it slower than Slammer. That is, if the attack vector is in fact limited to TCP. When I first saw the vulnerability was in RPC. I immediately questioned if UDP could be used, as RPC listens on UDP 135 as well. Subsequent posts on the Security Focus mailing lists also brought this into question, and as of yet, I have not been able to get a definite answer.

But as of this writing, the Microsoft security site has been updated to include UDP. I could be wrong, but my gut feeling is that this guy could infect over UDP, thus making it much more "Slammer-like" in propagation potential.

If true, Mescaline could actually pick up where Slammer left off and spoof the source IP (not that it would really matter) and do mean and nasty things like set the source port to 53 (something Slammer did not do) in order to get through poorly configured firewall rules that think it's a DNS response. Much speculation and worm-design brainstorming is already taking place, from the newsgroups of GRC to private zero-day IRC channels.

Worm Food
Another reason this will be different is the class of the vulnerability. Slammer exploited SQL servers and MSDE installations reachable from the Internet. There really shouldn't have been any of these in the first place -- though obviously there were plenty.

But RPC is listening by default on standard server installations, including Web servers and DNS servers. It's even listening in Server 2003's Web Server Edition, a product dedicated to Web serving and hosting.

And this is where Microsoft will receive some deserved criticism. I didn't expect the Win2k code review to catch everything, but it should have caught this. As far as Win2k3 Server is concerned, at a minimum, the code base for all listening-by-default services should have been audited to the nth degree.

Yes, servers should be behind a firewall. Yes, routers should have ACLs that only allow needed ports to reach the firewall. But Trusted Computing cannot mean "trusted if behind a firewall." It must mean that default services on products designed to provide Internet services are free of buffer overflows. This goes for all manufactures of products sold under the "Internet Services" bill.

A consistent theme of my columns is the distribution of responsibility when it comes to security. This is why the Floyd lyric is so appropriate. You should be in a bunker; you should be isolated behind your wall; you should practice security in depth when you deploy services to an un- trusted public network. Servers should be configured with only the needed services running, and firewalls should deny everything by default, and only allow in what you require.

As a security person, I get paid to be accurate. In this case, I hope I'm wrong -- but I hope I'm wrong for the right reason. In six months we can sit back and say, "see, I told you so," while others put in 20-hour-a-day weekends cleaning up Mescaline. Or we can be proactive and get the word out as security evangelists: patch and protect your systems, practice least privilege and implement security in depth.

Let's all do our part to make Mescaline a flash in the pan. I still got dibs on the name, though.


SecurityFocus columnist Timothy M. Mullen is Vice President of Consulting Services for NGSSoftware.
    Digg this story   Add to del.icio.us  
Comments Mode:
Waiting for the Worms 2003-07-21
Anonymous (1 replies)
Waiting for the Worms 2003-07-21
Anonymous (1 replies)
Waiting for the Worms 2003-07-22
Anonymous
Waiting for the Worms 2003-07-21
Anonymous (1 replies)
Waiting for the Worms 2003-07-21
blacklight
Waiting for the Worms 2003-07-21
Anonymous
Waiting for the Worms 2003-07-21
Jim Harrison (ISA_Dewd) (1 replies)
Waiting for the Worms 2003-07-24
Anonymous
Waiting for the Worms 2003-07-21
By bet is eEye will still get to name it (1 replies)
Waiting for the Worms 2003-07-21
Anonymous (1 replies)
Waiting for the Worms 2003-07-22
Anonymous (1 replies)
Waiting for the Worms 2003-07-22
Anonymous
Waiting for the Naming 2003-07-21
Rick Deckard (1 replies)
Waiting for the Naming 2003-07-21
Anonymous (2 replies)
Waiting for the Naming 2003-07-21
Rick Deckard (1 replies)
Waiting for the Naming 2003-07-22
Anonymous
Waiting for the Concert 2003-07-22
Anonymous (1 replies)
Waiting for the Concert 2003-07-22
Fatty Boom Cracker (2 replies)
Waiting for the Concert 2003-07-22
Brett Delaney
Waiting for the Concert 2003-07-23
Anonymous
Waiting for the Worms 2003-07-21
Anonymous (3 replies)
Waiting for the Worms 2003-07-22
Stack (1 replies)
Waiting for the Worms 2003-07-23
Anonymous
Waiting for the Worms 2003-07-23
Sam Schinke
Bravo 2003-07-21
Anonymous (2 replies)
Bravo? 2003-07-22
Sun Li DlavRot
Bravo 2003-07-23
Anonymous (2 replies)
Bravo 2003-07-25
Brett Delaney
Bravo 2003-07-26
Anonymous
Waiting for the Worms 2003-07-22
Anonymous
Waiting for the Worms 2003-07-22
Dan Jenkins
Waiting for More Info? 2003-07-22
Penguinisto
Waiting for the Worms 2003-07-22
Zap The Dingbat
Waiting for the Worms 2003-07-22
ICMPType8
Waiting for the Worms 2003-07-22
blacklight
Waiting for the Worms 2003-07-23
Anonymous
Waiting for the Worms 2003-07-24
Anonymous
The Making is in The Progress... 2003-07-25
Anonymous (1 replies)
winhack 2003-07-30
Anonymous
Waiting for the Worms 2003-07-28
ziago


 

Privacy Statement
Copyright 2010, SecurityFocus