Homeland Security warns of possible cyberattack
- By Joab Jackson
- Aug 01, 2003
The Homeland Security Department has issued a warning that a vulnerability within certain Windows operating systems may be used as a basis of widescale attacks.
The department's Information Analysis and Infrastructure Protection National Cyber Security Division, which issued the July 30 advisory, said it has seen increased scanning across the Internet for computers vulnerable to attack. Microsoft Corp., whose operating systems are affected, also noted the increase.
"We have become aware of some activity on the Internet that we believe increases the likelihood of exploiting this vulnerability," said a technical bulletin from Microsoft about the flaw.
Ken Dunham, malicious code intelligence manager for security analysis firm iDefense Inc., Reston, Va., said what makes this vulnerability different from others is its high stature within the malicious hacking community.
"The key difference here is that the exploit code and the scanning tools are widely available and are very much promoted in the underground, as opposed to other vulnerabilities that may not have a scanning tool or have exploit code," Dunham said.
Although no worms that exploit this vulnerability have been spotted, Dunham said at least one underground group has been working within the past 48 hours to write a worm for it.
Dunham said there also has been increased scanning across computers owned by universities in the northwestern United States.
The scanning is being done by unknown parties probably to install Trojan horses, or hidden programs that can log keystrokes or gain remote control over the computer, Dunham said.
The vulnerability could be serious, since it allows remote users or viruses to take control of a computer. The vulnerability stems from a faulty method used by Windows to handle commands issued by another computer over the network.
"The attacker would be able to take any action on the system, including installing programs, viewing, changing or deleting data or creating new accounts with full privileges," Homeland Security's advisory read. The operating systems potentially vulnerable are Microsoft's Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003.
Homeland Security issued the first advisory July 16. A subsequent advisory was issued July 30 after the agency noticed the increase in suspicious traffic. Although Microsoft has issued a patch to fix the problem, concern remains over those unpatched computers.
Gerhard Eschelbeck, chief technical officer and vice president of engineering at network security company Qualys Inc., Redwood Shores, Calif., said that systems administrators should take a close look for what he calls covert channels, or ways a worm or virus could sneak into a network behind its firewalls.
Possible entry points include virtual private networks or laptops that someone may hook onto the network that have been infected through home use.
Eschelbeck said that if released, a worm based on this vulnerability could do more damage than the Slammer worm that ravaged some government systems earlier this year.
"It is not only databases that would be effected. It would be any machine running the Microsoft operating system," Eschelbeck said.
The advisory is at: http://www.nipc.gov/warnings/advisories/2003/Potential7302003.htm
For Microsoft software patch and related information go to: http://microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp
Joab Jackson is the senior technology editor for Government Computer News.