Hackers Circulate New Code For Exploiting WindowsHackers Circulate New Code For Exploiting Windows

Just days after Microsoft alerted users of a major vulnerability in Windows, exploit code is widely circulating on the Internet, a security expert said Tuesday.

The code targets systems that haven't been patched against the flaw in Microsoft's Abstract Syntax Notation 1 (ANS.1) library, a vulnerability that was discovered in July 2003 by eEye Digital Security, but not made public until earlier this month.

The exploit code, first found on Feb. 14--four days after the vulnerability was disclosed--is fully functional and can crash compromised Windows machines, said Ken Dunham, director of malicious code research at iDefense. By Tuesday, iDefense had spotted three separate exploits for the ANS.1 vulnerability, all of them widespread on multiple discussion groups and hacker Web sites.

"The widespread distribution of this new exploit code has significantly increased the threat level for ASN.1 possible attacks," said Dunham. "It's far more likely that we will soon see hacking, trojans, and worms emerge against this vulnerability now that exploit code is widely available."

Although most large companies have already started to roll out patches for the ANS.1 vulnerability and should wrap up the chore this week, there will still be countless targets for the exploit code, said Dunham.

The exploit code causes the Microsoft Local Security Authority Subsystem process, run by LSASS.exe, to crash. It can be sent via Server Message Blocks or NetBIOS sharing protocols listening on ports 445 or 139.

According to Dunham, the existing exploit code only aims to conduct denial-of-service attacks against targeted sites and companies. At least one major company suffered attack this weekend, he said, although he declined to name the firm or its Web site.

But while there's the possibility that these exploits may be automated into a worm that can carry out even broader attacks on ANS.1-vulnerable systems, Dunham said that isn't likely.

"We might see a significant worm come out, but writing one is more difficult than, say, MSBlast," he said. "We see the same evolution as in MSBlast, but it'll be tougher for hackers to create the code that leads to a worm or a trojan horse."

Instead, he sees the exploit code as the forerunner to a new wave of denial-of-service and backdoor attacks.

The fast appearance of exploit code for the ANS.1 vulnerability is yet more proof of an increasingly sophisticated hacker community that reacts to a new vulnerability within days, or even hours.

"The increases in experience and coordination on the part of attackers towards rapid exploitation are dramatic," he said. "If we would have said 10 years ago that you'd see this level of attacks, your mouth would have dropped open and you would have said that's all Hollywood stuff."

The continued spikes of vulnerabilities and associated attacks will continue, and thanks to the trend of putting out source code for existing worms--as well as the recent leak of Windows source code to the Web--likely get worse, he added.

"The large number of vulnerabilities, and the availability of exploit code and worm source code and Trojan source code, as well as the editing of [hacker] tools, give them all the keys they need for rapid exploitation, he said. "Bottom line, they're getting more efficient exploiting vulnerabilities."