posted on Jan, 18 2009 @ 04:26 PM
This worm is real, and I've known about it for quite some time. I actually posted about the specific security vulnerability that it uses to access
systems in the thread titled "Police set to step up hacking of home PCs".
What this worm does is by sending a malformed RPC packet to a vulnerable system, you are able to create a buffer overflow resulting in the execution
of injected shellcode. The shellcode most people use contains information for a port bind, which allows you to spawn a shell on any desired port on
the targeted system. The worm just uses a well known vulnerability and automates it. Probably by the use of a random number generator to create ranges
of IP addresses to infect. Each system infected would then try to infect thousands more.
This thing that makes this worm a bit more dangerous is the fact that you do not have to do anything in order to be infected. Even with a firewall,
you usually have some ports open, such as 80 for http. If I was the person coding the worm, I would include a small function that determines what open
ports are on the target system. This would allow the worm to determine by itself which port to set the port bind to. If the port scan comes back with
open ports of 21, 23, 80, 110 - then it would choose one of the four. Very few systems have 100% of all ports blocked. Indeed though, without a
firewall, you are at a much greater risk for many other types of penetration examples.
I used to use a zero day version of the RPC exploit a few months ago to prove to people that no matter how secure they though their systems were,
someone always has an edge. There is a lot of code out there that we dont release for the sole purpose of easy access. Firewalls, while good, often in
my eyes provide a false sense of security. There is many other security practices that should be followed - on top of having a sound access control
This worm is most definitely real. Its quite simple, and the way it gains access to systems is painfully easy. The vulnerability was patched with its
release on milw0rm in October, but many systems still find themselves comprimised due to failure to patch their systems. Also, I think the fear of
Microsoft patches and updates doesn't help. I have patched Microsoft systems before and had things stop working after that, so I could see people not
knowing about this exploit, failing to patch due to fear of breaking something else on their system.
Its a good thing the person who coded this worm did not make it do anything drastic. He could have easilly made the worm delete critical system files,
modify partition tables, one-way encryption of your drive, and so on. I think he made the worm strictly to spread, but not so much to cause mass
Things like this will continue happening due to Microsoft and the fact they hide their source code from public eyes. They do not practice safe
programming methods, and often have serious exploitable conditions within critical system processes. With open source software the people are forced
to keep security and system integrity in mind when programming, and it definitely shows.
Maybe one day i'll share the good stuff, but that sort of power corrupts absolutely.