Hackers have posted code that allows for a worm attack on Windows.
The code, published yesterday on the Milw0rm website, works on Windows 2000, according to Symantec's director of emerging technologies Oliver Friedrichs, and takes advantage of a flaw in the Windows Workstation service, which let uses file-share or print over a network.
Microsoft patched the flaw in its monthly batch of security fixes earlier this week, with security vendors at the time warning it was one of the most critical of the November updates, and could soon be exploited in a self-replicating worm.
"If you run Windows 2000 systems in your environment, this flaw is the most critical one to patch, and even more so now that there's a live working exploit on the Internet," said Marc Maiffret, chief technology officer with eEye Digital Security.
Maiffret said that while the Workstation flaw is "just as easy to exploit" as the flaws used by the Blaster and Zotob worms,hackers have realized they can be more effective by using their malware in low-key, targeted attacks. "Nobody is going to dare to write a worm," he said. "Why would they, when they could target companies and make money off of them? All worms do is create awareness."
There is also a technical factor that may limit the spread of any worm based on this exploit code. According to Friedrichs, the attack code must also be aware of a legitimate domain controller on the victim's network. "It limits somewhat the exposure of systems on the Internet," he said.
Symantec has not yet seen this malware being used in attacks, Friedrichs said Thursday. Still, some security vendors think that a worm attack could be in the works. "If we are able to confirm that it does work then the possibility of a worm is really high," said Amol Sarwate, Vulnerability Research Lab manager with Qualys. "Once people get it working, it's only a matter of time for people to encapsulate it in worm behaviour."
Qualys researchers are studying the exploit code and are still not sure which versions of Windows can be compromised by the attack, he said. Sarwate noted that there is other attack code in circulation this week. Hackers have also posted malware targeting a critical flaw in the WinZip 10 file compression software, which was also patched by Microsoft on Tuesday.
"It is a big deal for the people who have WinZip installed, but it's not as much of a big deal as [the Workstation exploit]," he said. Symantec is now warning of attack code targeting a third Windows flaw. On Thursday it said that exploit code has also been published for a flaw in the Client Service for Netware, which was also patched Tuesday.