TechWeb

Bot Attacks Vulnerable Windows Systems; Microsoft Patch Buggy

Apr 29, 2004 (12:04 PM EDT)

Read the Original Article at http://www.informationweek.com/news/showArticle.jhtml?articleID=19205541


Microsoft on Thursday disclosed a bug in a patch for a critical vulnerability, and Symantec Corp. retracted a claim that automated code was compromising one Windows vulnerability and warned that a bot network was on the loose and taking advantage of another.

All the scrambling revolved around a pair of vulnerabilities that Microsoft first disclosed April 13 as part of its monthly release of bugs and patches for Windows.

Early Thursday, Symantec saw several honeypots--servers intentionally left unprotected in the hope of attracting attacks--on its DeepSight Threat network compromised via the LSASS (Local Security Authority Subsystem Service) vulnerability within Windows 2000, Windows XP, and Windows Server 2003.

LSASS is a component of Windows that provides an interface for managing local security, domain authentication, and Active Directory processes. The exploit of LSASS is not a worm, said Alfred Huger, senior director of engineering on Symantec's security response team, but is malicious code based on Gaobot, an automated trojan that uses Internet Relay Channel to communicate with its creator. The Gaobot code has been modified, he said, to spread through the LSASS vulnerability.

According to an alert released by Symantec on Thursday, the unnamed bot can gather information from the infected hosts and make detection and removal difficult. It can harvest E-mail addresses, capture screens, terminate anti-virus software, and modify the local Hosts file to prevent DNS queries on selected domains.

"There's really not much difference between a bot and a worm," said Huger. "The only real difference is that a bot won't break into an internal network. On outward-facing systems, there is no difference. Getting broken into is getting broken into."

The bot is widespread and active, said Huger, who pointed out that the compromised honeypots use unpublished IP addresses and domains, making them vulnerable only through extensive scanning of the Internet.

"The attacker is scanning several hundred thousand addresses at a time looking for systems to break into," said Huger. "That's how they found our honeypots."

This attack is a good example, he said, of how bots, and the vast networks of compromised machines that they control, often fly under the radar of not only the public and the media, but even security vendors.

"Bots don't create a lot of 'noise,'" he said, "but can still compromise a huge number of machines. We're not talking about hundreds of even thousands here, but millions of machines that have been compromised by various bots. We've seen bot networks that have 200,000 or even 400,000 nodes, and many of these bot networks overlap, so it's certainly possible that a system can be compromised--and controlled-- by more than one bot maker."

Symantec on Wednesday backpedaled from an assessment the day before that it had captured code exploiting a vulnerability in Windows implementation of SSL. Although a preliminary analysis concluded that a worm or bot was at work, Symantec said Wednesday that it made a mistake. Instead, it was seeing evidence of a new Trojan horse, dubbed Mipsiv, that was compromising systems, but using the same port, TCP port 443, as Windows Protected Communications Technology. PCT 1.0 is a packet protocol within Microsoft's SSL library--and like LSASS, it's also vulnerable to attacks.

"When we received the code, and did preliminary analysis, we thought it had networking functions," said Oliver Friedrichs, a senior manager with Symantec's response team. "But it's really just a backdoor component."

After additional analysis, said Friedrichs, Symantec figured out that Mipsiv wasn't exploiting the Microsoft PCT vulnerability. But while Mipsiv doesn't contain either worm or bot features, it's still connected to the PCT vulnerability. Exploit code for the vulnerability has been public for about two weeks, and the Trojan could have been placed on the compromised machines only using the PCT exploit code.

Mipsiv, said Symantec, connects to an IRC server via port 443, and uses that channel to listen for instructions. It also includes key logging and network scanning functions.

Both the LSASS and PCT vulnerabilities--and the large amount of hacker activity related to them--mean that businesses and other users should patch their systems immediately, said Huger and Friedrichs.

"The fact that we haven't seen a worm yet [targeting the PCT vulnerability] is no reason to delay patching," said Friedrichs. "It only means that we may have a little more time to patch."

Huger wasn't sure there was as much time to hustle the LSASS patch into place.

"If you start seeing an exploit on a bot network, the next step--a worm--is trivial. You'll see this exploit turn into a worm at some point." It could, he agreed, be as big a threat as the Blaster worm that attacked systems last summer.

But patching these vulnerabilities may be tricky for some. On Wednesday, Microsoft said that the patch it released on April 13 was buggy.

Microsoft confirmed in an article on its technical support database that the security fix for the LSASS and PCT vulnerabilities--as well as other holes in Windows--has a bug that can lock up some Windows 2000 systems at boot time.

"After you install the security update that is described in Microsoft Security Bulletin MS04-011, you may experience any one of the following symptoms," Microsoft said in the alert. "Your computer appears to stop responding at startup, you cannot log on to Windows, or your CPU usage for the System process approaches 100%."

The MS04-011 bulletin was one of four released April 13, and its fix is responsible for patching the LSASS and PCT vulnerabilities.

The bug causes Windows 2000 to repeatedly attempt to load drivers that earlier failed at startup, bringing down the system. Microsoft is investigating the problem, but has yet to post a patch for the patch.