October 26, 2008

Hackers Exploit Microsoft Bug

Just one day after Microsoft distributed a rare emergency security patch, hackers have found new ways to exploit the bug. 

Security researchers identified a new trojan called Gimmiv on Friday, after a hacker had posted an early sample of code that could be used to take advantage of the flaw on the Internet.

Since the bug could be used to create an Internet worm attack, Microsoft issued the patch more than two weeks ahead of its next security update.  In fact, the software giant said it had already witnessed a small number of attacks that exploited the flaw.

According to a New York Times report, the vulnerability lies in the Windows Server service used to connect with other devices on networks.   And while the Windows firewall software will block the worm from spreading, experts worry the flaw could be used to spread infections between machines on a local area network (LAN), which are typically not protected by firewalls.

Indeed, that's precisely what the Gimmiv trojan intends to do, said Symantec's senior research manager Ben Greenbaum.

"It is downloaded onto a target machine via social engineering and then proceeds to scan and exploit machines on the same network, using this newly disclosed vulnerability in the Server service," he told the New York Times.

Experts believe the worm then loads software that steals passwords.

Both Symantec and McAfee said Friday that they had only seen a very small number of attacks based on Gimmiv.  However, Symantec reported a 25 percent jump in network scans searching for vulnerable machines beginning Thursday evening.  The searches could signal that more attacks are on the way, Symantec said.

It's a scenario that becomes more probable as additional tools are released to the broader public.  For instance, sample exploit code was posted to the Milw0rm.com hacker site on Friday, and security experts expect hackers to move the code into easy-to-use attack tools over the next few days.

Greenbaum predicts the attack code will soon be used to create botnet networks of infected computers.

"What we are going to see is this attack being added to the arsenal of botcode," he told the New York Times.

"Once it evolves to the point where people really don't have to know much about the exploit ... those are the situations where people write the worms that do a lot of [damage]," Craig Schmugar, a researcher with McAfee, told the New York Times.  

When asked if he expects a harmful worm to materialize from the latest bug, Schmugar said: "If history is a lesson, then yes."