VeriSign Reports Massive Worm in the Works

An increase in suspicious activity this weekend has Internet security experts bracing for what some analysts warn could be the next big worm attack worldwide. Virus monitors spent the weekend watching an increased level of activity that experts said could be the start of a Blaster-like attack.

A spokesperson for VeriSign (Nasdaq: VRSN) engineers told TechNewsWorld late Friday that new exploits are possible for the ASN.1 and LSASS buffer overflow vulnerability in Windows machines.

"At this point, we can report that we are seeing a statistical deviation in normal traffic patters, and we have identified multiple exploits in the wild," Charles Kaplan, Information Security Officer for the MSS division at VeriSign, told TechNewsWorld. "Although these exploits have not materialized into a worm, with the information we have today, an attack early next week is likely."

Mikko Hyppönen, director of antivirus research at F-Secure in Finland, told TechNewsWorld in an e-mail interview on Saturday that there is cause for alarm. He said he expects something bigger than just a denial-of-service (DOS) attack.

"There's lots of activity going around right now as the bad boys have dozens of juicy fresh security vulnerabilities to choose from," Hyppönen told TechNewsWorld. "So we're seeing a lot of probing for various SSL-RPC ports. However, so far we've seen nothing that there would actually be something more organized happening right now or any signs of a new worm.

"I would expect to see a Blaster-like RPC worm within the next two to three weeks, though," Hyppönen warned.

Two Vulnerabilities Revealed

Kaplan said VeriSign's engineers identified two different vulnerabilities. One involves the Secure Sockets Layer (SSL), a critical technology designed to secure most Web and many e-mail transactions. The other involves the remote procedure call (RPC) protocol, which allows heterogeneous systems to communicate with one another.

VeriSign's engineers also noted a statistically significant increase in traffic on port 443 across the company's customer base. Port 443 is a common SSL service port.

"It would appear as if we are bearing witness to a broad-reaching reconnaissance scan to discover open SSL servers, followed by targeted denial-of-service attacks against some of those servers," Kaplan told TechNewsWorld.

He said the other traffic anomaly VeriSign began noticing Friday was an increase in port 1025 traffic. That activity is causing concerns because port 1025 is known to be used by Windows 2000 and Windows XP for RPC services.

Microsoft (Nasdaq: MSFT) released a new security patch last Tuesday for a new RPC vulnerability.

According to Internet security experts, Kaplan said, the activity surrounding port 1025 is particularly worrisome because many older firewalls have port 1025 exposed to the Internet. Those older devices often rely on packet-filtering technology only. That weakness can leave systems connected to them vulnerable to attack.

Preparing for the Vulnerability Now

Kaplan said engineers have not yet seen an actual new exploit of the ASN.1 and the LSASS Microsoft Windows vulnerabilities or evidence of such an exploit's use. But he added that VeriSign is preparing its engineers and clients for it now.

"While we can never predict with true certainty the next big Slammer or Blaster, our statistical traffic modeling surrounding the past week's traffic has all the telltale markers of a big worm coming," he said.

By late Friday, activity on the 443 port, an SSL port, had "gone through the roof," Kaplan said, adding that the report confirms the company's expectations that this is an issue requiring substantial attention.

"It looks as though it is a one-packet attack, which can be caught in the intrusion detection system, but it is critical that companies patch or they can get knocked offline," he said.

BlackIce Device Targeted

In what could be a related event, the Internet Storm Center this weekend issued its own alert about a possible worm attack having started against BlackIce firewall devices -- the second such attack on this software in three weeks.

According to the alert, the center said it detected an upsurge in User Datagram Protocol (UDP) traffic from source port 4000 early Saturday morning. The alert identified the cause of this traffic as a new variant of the Witty worm. It said the worm exploits a vulnerability in BlackIce's ICQ parser.

A bulletin posted this weekend on the center's Web site said infected hosts will send large amounts of UDP traffic, typically saturating a local network connection. As a result, users will not be able to shut down BlackIce. Instead, users will see a message that reads: "Operation could not be completed. Access is denied."

The bulletin, which said infected systems will crash as a result of corrupted hard disks, warned that the worm will not write itself to disk, causing virus scanners to fail to detect it.