The Web    Google
Security Experts On Alert for Large-Scale Hacker Assault

Security Experts On Alert for Large-Scale Hacker Assault
July 31, 2003

The security industry is on alert that an upswing in hacker activity could be signaling the coming of a broad-scale attack that could potentially affect millions of networks.

The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.'s Windows operating system. A problem with the Windows RPC Interface Buffer Overrun was first disclosed on July 16. Security experts say hackers started experimenting with the vulnerability almost immediately, and the rate of system probes and online chatter about the vulnerability has been skyrocketing.

''We're very concerned,'' says Dan Ingevaldson, an engineering manager with Altanta-based Internet Security Systems, Inc. ''Administrators have a window of time to fix their systems, but that window is getting smaller... We think there's a risk here to the entire Internet.''

There's enough of a wide-scale risk that the Department of Homeland Security (DHS) is on alert. David Wray, a DHS spokesman, says his people have been monitoring the situation and are in direct contact with the security community, as well as with industry.

''We're seeing an Internet-wide increase in probing that could be a search for vulnerable computers,'' says Wray. ''It could be a precursor and it bears continued watching... It certainly could be serious. It could lead to the distribution of destructive, malicious code and it could cause considerable disruption.''

But Wray and security experts agree that the situation could be defused if IT managers and individual consumers immediately download and install the patch that Microsoft has issued for the RPC vulnerability.

The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, is a serious one.

Qualys, Inc., a security auditing and vulnerability management company based in Redwood Shores, Calif., has rated the Windows flaw as the most critical one out there right now. Gerhard Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used in the Windows environment and leverages highly exposed ports

Ingevaldson notes that the vulnerability is unique in that it affects both servers and desktops, expanding the reach of any exploit that takes advantage of it.

''We haven't seen much of that before this,'' says Ingevaldson. ''It's the first major vulnerability that crosses the line between desktops and servers. It's a core component of the operating system.''

And Ingevaldson says there's a lot of potential for damage here.

''Look at SQL Slammer,'' he adds. ''That affected between 100,000 and 300,000 machines. There's a lot more Windows XP and 2000 out there. There's a very large pool of vulnerable machines. Millions potentially.''

And that kind of potential is drawing a sizable amount of attention from the hacker community.

Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-virus company based in Lynnfield, Mass., says there hasn't been an increase in virus or worm activity yet, but they are seeing a major increase in system probes. Hackers are poking into computers and networks around the world to see what systems are in place and what vulnerabilities haven't been patched.

The hackers have been experimenting with the exploit, says Ingevaldson, who has seen several versions of the same tool that is being used to prod at the vulnerability.

And Qualys' Eschelbeck says they have been monitoring online chatter about the vulnerability in the hacker community. ''There's a lot of creativity being put in right now to make the exploit more powerful... and hit on a wider scale,'' he says. ''It's a strong indicator that things are in the making.''

Most agree that the exploit would come in the form of a worm, since the vulnerability doesn't lend itself to a Denial-of-Service attack.

What security experts aren't agreeing on is if the probes and increased hacker activity is coming from one person or an organized group. The Department of Homeland Security is reporting that there's no evidence at this point that it's an organized attack or that it's a matter of international terrorism.

But Sophos' Belthoff says it does ring of an organized effort.

''My guess is that it's a number of people,'' he says. ''It's not just an individual person doing all these probes to assess vulnerability levels. The probes are distributed. The normal level is pretty high and this is way above that.''

Belthoff adds, ''It's a race against time and the potential for a new, big worm outbreak.''

  • 5/20: Mytob-EU Worm Drops Copy
  • A Pattern Language For Spam
  • 4/27: Mytob-CY Worm Arrives as Email Attachment
  • Fed Security Systems Receive Failing Grades
  • 5/3: SymbOS/Locknut-C Infects Handsets
  • Keeping Score of Identity Risks
  • 11/23: Yanz-B Worm Written in MSVC
  • 2/3: Rbot-VD a Worm and a Trojan
  • 5/19: Viperik-A Trojan Deletes Files & Info
  • New Alliance Opposes Anti-Piracy Mandates
  • 11/8: Trojan.Beagooz Collects Addresses
  • Security Camera Related Information