Blaster Redux? SSL Worm Threat Rising

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Security experts have spotted the first signs of a Blaster-like worm circulating underground, prompting fears that major Internet disruptions could be less than a week away.

Anti-virus firms on Wednesday warned of abnormal port-scanning activity and evidence of a backdoor Trojan infecting machines through a known vulnerability in Microsoft IIS servers.

And, as was the case when the Blaster virus hammered corporate networks last August, a patch for the flaw has already been issued by Microsoft.

“This is an urgent situation. We’re in the mode right now where we are strongly recommending that the patches be applied. The only way this won’t be as disruptive as Blaster is for people to patch their IIS servers,” according to Symantec’s Jonah Paransky.

Paransky, a senior manager of security product management at Symantec, told internetnews.com it was “highly likely we’re see self-propagating malicious code” released in the coming days.

“Because of the potential severity of this, we are raising the threat level and strongly recommending that the appropriate patches are applied.”

Symantec has already spottedBackdoor.Mipsiv Trojan that performs different backdoor-type functions by connecting to an IRC server and joining a specific channel to listen for instructions. Paransky said the Trojan contains keylogging and network scanning functionalities.

“We know that the vulnerability exists. We know there is exploit code on the Internet and we’re seeing the exploit code appearing in Trojans. We’re not seeing a Blaster-type worm yet but it’s only a matter of time before someone really malicious gets their hand on the code,” Paransky said.

During initial analyses of the Backdoor.Mipsiv Trojan, Symantec found that it was using the same port as the Microsoft Windows Private Communications Transport Protocol (PCT) vulnerability, which was patched in the software giant’s April release of fixes.

Symantec first issued an alert for the “high risk” PCT flaw on April 13, with a warning that multiple Microsoft Windows operating systems were vulnerable to a remotely exploitable stack-based buffer overrun via the PCT (Private Communications Transport) protocol. “Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. The vulnerability may also reportedly be exploitable by a local user who passes malicious
parameters to the vulnerable component interactively or through another application,” the company said.

The issue only affects systems that have SSL enabled, such as Web
servers, but could also affect Windows 2000 Domain Controllers under some circumstances. More information on the PCT flaw and available patches can be found in this alert.

As previously reported, exploit code for the flaw is already available and could be used by attackers to force the Windows 2000 and Windows XP operating systems to block SSL connections. On Windows Server 2003 machines, the code could cause the system to reboot.

On Wednesday, the SANS Institute also warned of a new PhatBot exploiting targeting another Microsoft vulnerability. The institute said in an alert that the PhatBot contains code to exploit the LSASS (LSASS: Local Security Authority Subsystem Service) vulnerabilities patched under MS04-011 earlier this month.

“The exploit is effective against some versions of Windows 2000 with SP3 or SP4 installed. The patch released earlier this month as part of MS04-011 will fix this vulnerability. If you have not done so already, please apply the MS04-011 patch as soon as possible. Even if no worm is released, we expect that all Internet facing systems will be probed with this exploit over the next couple of days.”