Customer: Waiter theres a worm in my soup.

Bill Gates: Thats no worm, thats an undocumented feature!

While April is the cruelest month, August may be worse. August was a bad month for Microsoft. Its secure computing initiative hasnt seemed to stop the flow of malicious viruses and worms that exploit vulnerabilities in MS operating systems. The guns of August were led by the MS Blaster worm, which quickly was followed by the W32/Sobig Worm. The latter is not a true worm in that it requires a user to execute the payload. (Actually, it also can be executed by an e-mail client that is configured to open an attachment automatically. You might as well set your doorbell always to unlock and open the front door.) Blaster can spread itself without active human intervention (unless you consider neglect to be intervention).

The latest worms have been blamed for causing or at the very least exacerbating the problems encountered during the recent grid failure and resulting blackout. (Yes, I know two short months ago I praised the North American power grid in an article about grid computing. Perhaps I was overly optimistic in my assessment of the grids ability to self-heal, but it still beats the heck out of the third world.) We do know that a system at a nuclear power plant was brought down by the slammer worm in January 2003. The reactor was offline at the time, so it wasnt considered to be a critical failure. Amazing. We do know these viruses effectively act as DoS (Denial of Service) attacks on segments of the Internet, if not the whole network. Network traffic is slowed as the worm searches for more boxes to infect. My local cable ISP experienced serious degradation of performance as a direct result of these exploits. There are verifiable reports that computer and system response time were down during the initial phases of the blackout. Whether this contributed to the failure probably never will be known.

Why do we continue to tolerate worms and viruses infecting our computers and systems? I can think of no other engineered system where this would be tolerated. Have we truly been duped into believing this is an inexorable result of having relative freedoms on the net and affordable operating systems? I guess so. (After all, we are a nation willing to tolerate a homicide rate five to seven times higher than most industrial nations. Sorry, back on subject.) Doesnt it strike you as a little risky for the Department of Homeland Security to sign a multimillion-dollar deal to make Microsoft its primary software provider? Maybe it just wants to learn about flawed security first- hand. If I needed a software system that absolutely, positively had to be available 24/7, I dont know that I would choose Windows. I certainly wouldnt want my pacemaker running on XP.

How Do They Do It?
Lets take a quick look at how an Internet worm such as Blaster does what it does.
On July 16, 2003, Microsoft released a security bulletin (MS03-026) that warned of a vulnerability in Windows NT 4.0, 2000, XP, and Server 2003. This vulnerability existed in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface. DCOM is a protocol that enables software components to communicate directly over a network using TCP/IP. It is the culmination of a methodology that began with OLE and passed through COM. Microsoft RPC entails some very sophisticated security. Unfortunately, there are ways around this security. Strictly speaking, there was a way around the security in an unpatched system. Microsoft provided a patch on July 16, 2003.

The RPC exploit involves sending a specially malformed message over TCP/IP. This, in turn, affects a DCOM interface that listens on RPC-enabled ports (135, 139, 445, or 593). Once the DCOM object is activated by the malformed message, the attacker is able to run code with local system privileges.

In the hacker world, what typically happens is once vulnerability such as this one is identified, code to exploit the vulnerability is published. Once that code is published, a virus maker cobbles some (probably) preexisting code onto that and creates a new virus. There obviously is an unwritten understanding that a virus writer will do only so much damage before the rest of us actually wake up and take notice. Once you have the privileges described above on a remote box, there is no limit to the destruction you could wreak. The Love Letter Worm was particularly nasty. Among other things, it replaced all JPG files on your system with copies of itself. Lets look at Blasters exploits.

What Rough Beast Slouches Toward Bethlehem? Blaster
The Blaster worm first uses the above-described RPC vulnerability to open a command channel between the infecting agent and the target on port 4444. It then uses TFTP (Trivial File Transfer Protocol) to download the msblast.exe to the infected system. TFTP is used in many worms. It provides a quick and dirty method of transferring files using Port 69 and without requiring authentication. I do not allow the executable -tftp.exe on any server I control.

At this stage, it doesnt matter how it got there. Msblast.exe is now executed. The first time through it modifies the registry: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunwindows auto update is created with a value of msblast.exe. Cool. Now the beast will run every time the machine is rebooted. After updating the registry, the worm creates a mutex named Billy. (There is a variation of this thingW32/Blaster.E that creates a mutex named Silly. Probably this is the work of a script kiddiesee below.) When a new instance of msblast is instantiated, it checks for the Billy mutex. If it finds Billy, it shuts downwhy mess with a system that already is happily infected? The worm fires up winsock and sees whether you have network and Internet access. If not, it shuts down for 20 seconds and tries again. If so, it is off to the races. Job one is to find other machines to infect. Once it has an Internet connection, it generates an IP address and attempts to infect the computer at that address. It uses two methods of generating IP addresses to attack. Method one (40 percent probability) uses the first two segments of the infected systems IP address, applies an algorithm to the third IP segment, and then starts at 0 and keeps incrementing the address (i.e., xxx.yyy.zzz.0, xxx.yyy.zzz.1). The rest of the time (60 percent probability) it generates completely random IP addresses.
It then sends data (that malformed message) on port 135. The worm sends two different types of data. One fifth of the time it sends a message that will exploit a Windows 2000 computer. The remainder of the time it sends data that will crack an XP box. If the data is delivered to a mismatched system, the exploit wont work, but it is likely to crash the system. The box will reboot itself and crash again. Interesting. Meanwhile the local subnet is totally overloaded with port 135 requests.

Once a target box is infected, cmd.exe is used to create a hidden remote shell that listens on TCP port 4444. The system now is totally compromised. The infected system listens on UDP port 69 and downloads msblast.exe, which then is executed, and the worm once again has propagated. Meanwhile yet another nefarious exploit is lurking about in msblast. This one is a directed DoS attack on windows- update.com. It is launched according to extremely complex and arcane rules involving the date, the month, the operating system, the system state, and who is logged on to the computer. It really is kind of fun, but we dont need to concern ourselves with specifics here. Infected hosts will begin to SYN flood windows- update.com. A SYN attack is a denial of service attack in that at least one Internet port is blocked from legitimate access. The attacker achieves this by sending enough packets to targeted ports to block completely or severely curtail access to these ports. Basically, the attacker opens a connection with a SYN request. The target server sends back a SYN-ACK and waits. This half-open connection denies that connection to legitimate users.

Still More
Msblast.exe also contains the obligatory textsometimes apparently meaningless and sometimes a gotcha. The text in this case is I just want to say LOVE YOU SAN!! and billy gates why do you make this possible ? Stop making money and fix your software!!
You have to admit the people who create these things are pretty clever. There is a certain coolness to creating code that has the ability to exploit weaknesses on other systems. There is, however, nothing cool about unleashing these things on the world.

Script Kiddies
The Blaster saga took on an amusing twist when an 18-year-old high-school student was arrested for allegedly releasing a variation of the Blaster worm. Everyone in the business knows most viruses actually are promulgated by so-called script kiddies. Script kiddies generally are teen-age boys who have some limited computer skills but certainly not the sophistication needed to author virus code. Various exploits to penetrate operating system vulnerabilities and virus code readily are available on the Internet (it took me less than five minutes to find well-commented code for the Blaster worm). That means it is relatively easy for script kiddies to modify existing virus code slightly and set it free in an attempt to achieve their 15 minutes. That is apparently what our 18-year-old blaster perpetrator did. This minor blaster variant released an attack that infected about 7,000 computers. He was found easily because, among other things, he pointed back to his own Web site in the altered code. Should we be concerned about such misdirected youth as this guy? Here is what Sharon Ruckman, senior director of Symantec Security Response in Santa Monica, California, had to say: They are looking for publicity, and they like to see notice of their work in the press. But script kiddies are not criminals. Theyre not trying to steal credit-card numbers or financial information from your computer.

I dont agree with her assessment of script kiddies as not criminals. She seems to be separating the motivation for the crime from the crime. If you bring my systems down, you are stealing resources from me, no matter what your intention. But then again, what would folks at Symantec have to do without viruses and worms to fight?

If you couple an indulgent attitude toward well-intentioned criminals with an almost total lack of enforcement of antiquated laws, you have trouble. I can think of fewer than a dozen criminal hackers who ever have served any jail time. We are forced to spend vast sums on antivirus software and firewalls and waste huge amounts of corporate assets applying patches and hardening servers. Why? Two reasons. We refuse to prosecute those who cause the problems, and we accept software that is habitually fault ridden and insecure. I am not suggesting we burden all the blame on Microsoft. Maybe it really isnt economically feasible to produce secure operating systems. If that is the case, show me. How about the firm that unwittingly leaves its systems vulnerable? Should it be held responsible for the part it plays in propagating these things? How about university systemsgenerally under- staffed and extremely vulnerable to nasty exploits? Does it even make sense to focus the blame? I dont know the answer. I do know if you are vigilant in applying the latest patches and hide your systems behind appropriate firewalls and run the latest AV software, you can be fairly certain you are protected from the 63,000-odd viruses and worms trying to get at your systems. Or can you?

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.