Security Experts On Alert for Large-Scale Hacker Assault

The security industry is on alert that an upswing in hacker activity could be signaling the

coming of a broad-scale attack that could potentially affect millions of networks.

The increased hacker activity is pinpointing a vulnerability in Microsoft Corp.’s Windows

operating system. A problem with the Windows RPC Interface Buffer Overrun was first

disclosed on July 16. Security experts say hackers started experimenting with the

vulnerability almost immediately, and the rate of system probes and online chatter about the

vulnerability has been skyrocketing.

”We’re very concerned,” says Dan Ingevaldson, an engineering manager with Altanta-based

Internet Security Systems, Inc. ”Administrators have a window of time to fix their systems,

but that window is getting smaller… We think there’s a risk here to the entire Internet.”

There’s enough of a wide-scale risk that the Department of Homeland Security (DHS) is on

alert. David Wray, a DHS spokesman, says his people have been monitoring the situation and

are in direct contact with the security community, as well as with industry.

”We’re seeing an Internet-wide increase in probing that could be a search for vulnerable

computers,” says Wray. ”It could be a precursor and it bears continued watching… It

certainly could be serious. It could lead to the distribution of destructive, malicious code

and it could cause considerable disruption.”

But Wray and security experts agree that the situation could be defused if IT managers and

individual consumers immediately download and install the patch that Microsoft has issued

for the RPC vulnerability.

The vulnerability itself, which affects Windows NT, Windows 2000 and Windows XP machines, is

a serious one.

Qualys, Inc., a security auditing and vulnerability management company based in Redwood

Shores, Calif., has rated the Windows flaw as the most critical one out there right now.

Gerhard Eschelbeck, CTO of Qualys, says it involves the most prominent protocol used in the

Windows environment and leverages highly exposed ports

Ingevaldson notes that the vulnerability is unique in that it affects both servers and

desktops, expanding the reach of any exploit that takes advantage of it.

”We haven’t seen much of that before this,” says Ingevaldson. ”It’s the first major

vulnerability that crosses the line between desktops and servers. It’s a core component of

the operating system.”

And Ingevaldson says there’s a lot of potential for damage here.

”Look at SQL Slammer,” he adds. ”That affected between 100,000 and 300,000 machines.

There’s a lot more Windows XP and 2000 out there. There’s a very large pool of vulnerable

machines. Millions potentially.”

And that kind of potential is drawing a sizable amount of attention from the hacker

community.

Chris Belthoff, a senior security analyst with Sophos, Inc., a security and anti-virus

company based in Lynnfield, Mass., says there hasn’t been an increase in virus or worm

activity yet, but they are seeing a major increase in system probes. Hackers are poking into

computers and networks around the world to see what systems are in place and what

vulnerabilities haven’t been patched.

The hackers have been experimenting with the exploit, says Ingevaldson, who has seen several

versions of the same tool that is being used to prod at the vulnerability.

And Qualys’ Eschelbeck says they have been monitoring online chatter about the vulnerability

in the hacker community. ”There’s a lot of creativity being put in right now to make the

exploit more powerful… and hit on a wider scale,” he says. ”It’s a strong indicator that

things are in the making.”

Most agree that the exploit would come in the form of a worm, since the vulnerability

doesn’t lend itself to a Denial-of-Service attack.

What security experts aren’t agreeing on is if the probes and increased hacker activity is

coming from one person or an organized group. The Department of Homeland Security is

reporting that there’s no evidence at this point that it’s an organized attack or that it’s

a matter of international terrorism.

But Sophos’ Belthoff says it does ring of an organized effort.

”My guess is that it’s a number of people,” he says. ”It’s not just an individual person

doing all these probes to assess vulnerability levels. The probes are distributed. The

normal level is pretty high and this is way above that.”

Belthoff adds, ”It’s a race against time and the potential for a new, big worm outbreak.”

News Around the Web