RealTime IT News

Dasher Worm No Friendly Reindeer

A worm targeting a known and patched Microsoft security vulnerability is making its way around e-mail inboxes, and it isn't spreading the holiday cheer its name implies.

Security experts have recently discovered three variants of the Dasher worm that exploit a critical vulnerability in Microsoft's Windows Distributed Transaction Coordinator (DTC). It was patched by Microsoft in October. The worm targets Windows 2000 systems.

Officials at Symantec discovered the first two variants, Dasher.A and Dasher.B, on Thursday; the third, Dasher.C, was discovered today.

While the DTC vulnerability affects several versions of Windows, including Windows XP and Windows Server 2003, Microsoft officials said in their October advisory that primarily Windows 2000 systems were at risk from the vulnerability.

On Windows XP SP1 and Windows Server 2003, the attacker needs valid logon credentials before exploiting the vulnerability, while unpatched Windows 2000 machines can be exploited over the Internet.

Because the exploit centers around Windows 2000, corporations, its biggest user base, are most at risk. Dasher's dash through the corporate world hinges primarily on the fact that security administrators are not getting the Microsoft patch out to employee machines.

Oliver Friedrichs, senior manager for Symantec security response, said companies are getting better at patching their networked machines.

"Corporations, historically, have been a little slower in updating their patches, simply because they have so many computers and so many systems, it's difficult to prioritize the deployment of the patches across all these systems," he said. "But overall, the speed at which these people are installing patches has improved pretty dramatically."

The activity that exploits the Windows DTC vulnerability started Wednesday, according to officials at the Philippine Honeynet Project. They noticed a spike in the number of IP connection attempts towards port 1025, commonly used by the Microsoft Remote Procedure Call (RPC) service.

"These scans are most likely RPC and [Local Security Authority (LSA)] exploit attempts against Windows," the note states. "In this particular case, the packets captured seems to point to a LSA attack via TCP port 1025."

According to security firm F-Secure, the port scan looks for machines vulnerable to the DTC flaw. When it finds such a machine, it sends the exploit payload, which follows the common worm method of dropping a copy of itself on the machine to spread to others.

The worm also injects a keylogger into the system, the F-Secure note states. While the report didn't say what the keylogger is used for in this case, they are commonly used to record login and passwords, credit card numbers and other sensitive information.