Worms hit right on schedule

commentary Computer worms often strike about 30 days after Microsoft releases software patches. MS just released four patches, so the clock is ticking.
Written by Robert Vamosi, Contributor on
commentary Computer worms often strike about 30 days after Microsoft releases software patches. MS just released four patches, so the clock is ticking. But Robert Vamosi says this time might be different.

Editor's note: Over the weekend, after Rob wrote this column, Sasser.a and Sasser.b hit the Net--hard. Click here to find out more about the worms and what you can do to protect yourself from them.

The clock is ticking. A new, and possibly nasty, Internet worm is almost certainly coming. How do I know? Every time Microsoft releases new security patches, it's just a matter of time until some crook reverse engineers them to find the original vulnerability. So I thought it would be interesting to explore the entire process, from patched vulnerability to final worm. I'm doing so not to facilitate another worm (believe me, criminal hackers, or crackers, already know how to do all this), but this way, should one hit, we've all had plenty of warning.

I'm going to start with something I call the Eschelbeck Theory, named after security expert Gerhard Eschelbeck, of a security company called Qualys. His research shows that half the vulnerable systems in the world get patched within the first 30 days after a vulnerability patch announcement. Toward the end of that same 30 days, someone inevitably releases a virus or worm to exploit the unpatched systems. It's this latter phase that I want to discuss this week.

Microsoft hits a bad patch
On April 13, Microsoft released its April Security Bulletin. In it were four patches designed to fix 20 vulnerabilities in all versions of Windows. At first blush, it appeared that Microsoft put time and care into researching the underlying issues and patching everything at once rather than giving a piecemeal solution.

But I should have known better than to praise Microsoft for its latest security patches. Shortly after I wrote my column, several system administrators reported serious trouble with MS04-011. Although I qualified my enthusiasm throughout the column, my general thrust was that the patches were safe. Microsoft has since released a knowledge base article, 835732, that identifies various problems with the patch and offers solutions or workarounds. So far, most home users have not reported problems with the four patches.

What's ironic is that this one patch, MS04-011, remedied some 14 individual vulnerabilities, including flaws in major protocols of the Internet, such as Secure Sockets Layer (SSL), Abstract Syntax Notation 1 (ASN.1), and Local Security Authority Subsystem (LSASS). Already, some of these MS04-011 vulnerabilities have exploits floating around the Internet. How did they get there? Let me explain.

The life cycle of a typical Microsoft flaw
Here's how a typical Microsoft flaw gets converted into a worm. Last June, eEye found a flaw in RPC DCOM and notified Microsoft, who then patched the flaw on July 17. By the time I was attending Black Hat Briefings in Las Vegas, two weeks later, crackers had released several RPC DCOM exploits on the Internet, and security experts at the conference were trying them out, seeing what the exploits would do. Two weeks after that, a cracker took one of the exploits and created what we now know as the MSBlast worm.

We're now a couple weeks out from the Microsoft April Security Bulletin announcement. Already, there's a new exploit for SSL vulnerability on IIS servers. And it appears that Phatbot (a Trojan) is now exploiting the LSASS flaw. But despite the Eschelbeck Theory, don't expect a new worm tomorrow morning. For one thing, an exploit for the ASN.1 flaw has been known since February, and no worm ... yet.

One reason for the delay is that crackers first use a given exploit for their own benefit, such as compromising a few target systems worldwide for theft or other purposes. Only when they are done will they use the exploit as the basis of a new worm.

Thwarting the next superworm
This time around, however, the effects of any new worms might be stunted. In recent days, VeriSign, which signs certificates used in SSL transactions, has been alerting businesses to patch their Windows systems against the SSL and LSASS flaws. The action is based on increasing SSL traffic being on port 443 worldwide, perhaps a sign that criminal hackers are using the new SSL exploit for their own deeds and will soon release a full-blown worm. It is VeriSign's hope that proactive patching will blunt the effects of any pending superworm.

Someday, the Eschelbeck Theory will be a footnote in history. Until then, each of us will need to follow VeriSign's lead and take the time to secure our computers as soon as possible. By reducing the number of vulnerable machines in the world, we also diminish the impact any virus or worm will have; then maybe crackers will move on to other pastimes.

Editorial standards