During the last week, experts have predicted the imminent risk of a worm that exploits a critical vulnerability in Windows RPC-DCOM. Now there are reports that attackers are manually exploiting the flaw.
The Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh is warning that the vulnerability is being exploited in the wild. Attackers are scanning for port 135, which RPC uses, and by injecting the exploit code are able to gain a system level command shell on systems.
To some, predictions of an RPC worm smacks of Chicken Little -- in other words, warnings that the sky will fall if systems administrators don't immediately patch their systems. In fact, perhaps the attention paid to a forthcoming worm would inspire some attention-deprived script kiddie to write just such a worm, experts said.
Organizations can rise above the whole worm issue by taking preventive measures. Installing the patch from Microsoft would fix the flaw. If that isn't possible, then blocking external access of the following ports would help: TCP 135, UDP 135, TCP 139, UDP 139, TCP 445 and UDP 445.
Yet the fact remains that the vulnerability in how Remote Procedure Call (RPC) is implemented in Windows is worrisome. The protocol allows Windows systems to communicate with other operating systems. The utility is deeply embedded in Windows and is present in Windows NT, 2000 and XP, as well as Windows Server 2003.
The pervasiveness of the vulnerability
That said, the exploit code is being refined, said Dan Ingevaldson, engineering director for Internet Security Systems Inc.'s X-Force security monitoring operation. There seems to be an effort going on to make a universal exploit that would affect all Windows 2000 machines or Windows XP machines. Out of all the susceptible platforms, those two are good targets if worm writers want a large pool of machines, he said.
Moreover, there are at least a few versions of exploit code for the vulnerability posted on the Internet. In theory, it would be fairly easy to create a worm by copying that code and pasting it into a template for propagation code, which can also be copied from the Web. By definition, all a worm would have to have is a way to spread.
"It would be so simple to wormify this exploit," said Gary Morse, president of Razorpoint Security Technologies Inc., which conducts penetration tests for companies. "Whether or not it makes it to the general public is another question."
Script kiddies may try slapping a worm together just for the cache of being able to say they authored the first version, Morse said. Others would then work out the bugs in the worm code and make refinements.
But even a basic worm isn't trivial to write.
"While there are malware-making programs that can assist in the development of malicious code, to take this building block exploit code and produce a worm is not as simple as cutting and pasting," said Robert Vibert, administrator of the Anti-Virus Information Exchange Network. For example, the writer would need to know the programming used in the exploit code so it functions properly in the worm.
More elite worm writers, however, will try to be more creative because they're motivated less by glory and more by spoils. A worm would just be an automated means of exploiting the flaw on a widespread basis. By doing so, they could build a substantial army of systems to be used in a distributed denial-of-service attack at a future date, Morse said.
The RPC-DCOM vulnerability can also be used in a blended threat worm, which then uses that flaw as just one attack vector. Creating such a worm would not be the domain of the newbie virus writer, said David Perry, Trend Micro Inc.'s global director of education. "For years, we have seen virus writing getting easier as script kiddies use Visual Basic scripts, but they are getting harder to write again," he said.
" I can't say for sure it will be exploited by a worm. There are vulnerabilities we have been waiting for years to be," he said. "But it has as good a chance as any we have seen lately."
FOR MORE INFORMATION:
SearchSecurity.com news exclusive: "Windows RPC exploit code published"
FEEDBACK: Do you think a worm exploiting the RPC vulnerability is inevitable, and have you dropped everything and patched the flaw?
Send your feedback to the SearchSecurity.com news team.