More than two months after Microsoft Corp. issued a critical patch for a Windows 2000 worm hole, malicious hackers are successfully exploiting the vulnerability, confirming fears that patch deployment rates remain frighteningly low.
The latest network worm attack, identified by anti-virus vendors as W32/Dasher, enters through a flaw in the Microsoft Windows Distributed Transaction Coordinator that was patched in the MS05-051 bulletin released in October.
Over the last 48 hours, two variants of the worm have been seen scanning for vulnerable Windows 2000 systems through Port 1025.
If the worm finds a system responding to the port scan, the worm sends an exploit payload that connects to a remote address to wait for instructions.
The worm, which is clearly seeding botnets for malicious use, connects the infected machine to a server hosted in China and downloads two files, a copy of the worm itself and a keylogger, according to F-Secure Corp. researcher Jarkko Turkulainen.
The Dasher keylogger hides itself with a rootkit driver and is capable of hijacking sensitive information from victims' machines.
News of the Dasher attack is hardly a surprise. On Patch Day in October, when the fix was released, officials in the MSRC (Microsoft Security Response Center) stressed that MS05-051 should be treated as a high-priority update because it put users at risk of a "remote, unauthenticated attack."
Referring to the recent Zotob attack against unpatched Windows 2000 machines, MSRC program manager Stephen Toulouse warned that the flaw presented "a similar attack vector that could have the same impact as [the Zotob worm]."
"It's hard to predict what will happen, but this is one of those vulnerabilities that could be really dangerous, especially for customers running older versions of the operating system," Toulouse said at the time.
"If you're running Windows 2000, you want to apply this update as fast as possible. The concern is that we could be looking at another Zotob, because the attack vector is the same."
Two months later, it appears that Toulouse's fears have been confirmed by Dasher.
Shane Coursen, senior technical consultant at Kaspersky Lab's U.S. unit, said the early success of Dasher proves that tardy deployment of patches presents a problem.
"We've known for the last year that the time between the release of the patch and the creation of an exploit has been getting shorter and shorter, but, at the same time, it's taking longer for customers to apply patches," Coursen said in an interview.
"This attack doesn't surprise me at all because, for a variety of reasons, Windows users are not applying the updates. I don't want to say it's irresponsible for customers to take two months to apply a patch because businesses need to test patches properly but, for critical patches that are wormable, there's a certain urgency that's needed," Coursen added.
Sunil James, security manager at Arbor Networks Inc.'s Security Engineering Response Team, said businesses need to quicken the pace of patch testing and deployment, because network worms like Zotob and Dasher are using the victimized machines in the attack.
"We know that these kinds of high-profile vulnerabilities are leading to worms and the payloads are becoming more and more dangerous," James said, arguing that concerns about patch quality should not be an excuse to leave networks wide open to attacks that require no user action.
Andrew Jaquith, senior analyst with Yankee Group Research Inc., said some enterprises still make poor choices when it comes to security. "I hear the mantra all the time, 'It's running just fine so don't touch it.' The problem is that it's running fine in an unpatched state and is wide open to these types of attacks."
The latest network worm attack, identified by anti-virus vendors as W32/Dasher, enters through a flaw in the Microsoft Windows Distributed Transaction Coordinator that was patched in the MS05-051 bulletin released in October.
Over the last 48 hours, two variants of the worm have been seen scanning for vulnerable Windows 2000 systems through Port 1025.
If the worm finds a system responding to the port scan, the worm sends an exploit payload that connects to a remote address to wait for instructions.
The worm, which is clearly seeding botnets for malicious use, connects the infected machine to a server hosted in China and downloads two files, a copy of the worm itself and a keylogger, according to F-Secure Corp. researcher Jarkko Turkulainen.
The Dasher keylogger hides itself with a rootkit driver and is capable of hijacking sensitive information from victims' machines.
News of the Dasher attack is hardly a surprise. On Patch Day in October, when the fix was released, officials in the MSRC (Microsoft Security Response Center) stressed that MS05-051 should be treated as a high-priority update because it put users at risk of a "remote, unauthenticated attack."
Referring to the recent Zotob attack against unpatched Windows 2000 machines, MSRC program manager Stephen Toulouse warned that the flaw presented "a similar attack vector that could have the same impact as [the Zotob worm]."
"It's hard to predict what will happen, but this is one of those vulnerabilities that could be really dangerous, especially for customers running older versions of the operating system," Toulouse said at the time.
"If you're running Windows 2000, you want to apply this update as fast as possible. The concern is that we could be looking at another Zotob, because the attack vector is the same."
Two months later, it appears that Toulouse's fears have been confirmed by Dasher.
Shane Coursen, senior technical consultant at Kaspersky Lab's U.S. unit, said the early success of Dasher proves that tardy deployment of patches presents a problem.
"We've known for the last year that the time between the release of the patch and the creation of an exploit has been getting shorter and shorter, but, at the same time, it's taking longer for customers to apply patches," Coursen said in an interview.
"This attack doesn't surprise me at all because, for a variety of reasons, Windows users are not applying the updates. I don't want to say it's irresponsible for customers to take two months to apply a patch because businesses need to test patches properly but, for critical patches that are wormable, there's a certain urgency that's needed," Coursen added.
Sunil James, security manager at Arbor Networks Inc.'s Security Engineering Response Team, said businesses need to quicken the pace of patch testing and deployment, because network worms like Zotob and Dasher are using the victimized machines in the attack.
"We know that these kinds of high-profile vulnerabilities are leading to worms and the payloads are becoming more and more dangerous," James said, arguing that concerns about patch quality should not be an excuse to leave networks wide open to attacks that require no user action.
Andrew Jaquith, senior analyst with Yankee Group Research Inc., said some enterprises still make poor choices when it comes to security. "I hear the mantra all the time, 'It's running just fine so don't touch it.' The problem is that it's running fine in an unpatched state and is wide open to these types of attacks."