Skip Links

Network World

  • Social Web 
  • Email 
  • Close

Microsoft hole spawns real attacks, false alarm

By Paul Roberts , IDG News Service , 04/28/2004
Newsletter Signup
  • Share/Email
  • Tweet This
  • Comment
  • Print

Anti-virus company Symantec backtracked on Wednesday after claiming that it captured an example of a new Internet worm that takes advantage of a recently disclosed hole in Windows machines running Secure Sockets Layer (SSL).

On Tuesday, the company trapped an example of the malicious code, called backdoor.mipsiv, and warned customers that it was either a new worm or small automated program called a "bot" that exploits a new Windows Private Communications Transport Protocol (PCT) vulnerability, part of the Windows implementation of SSL. However, on Wednesday, Symantec said further analysis of the code showed that it was neither a worm nor a bot, and didn't use the PCT vulnerability.

Instead, the code, still called backdoor.mipsiv, is described as a Trojan program. Mipsiv is placed on vulnerable machines by malicious hackers, after which it opens communications ports on systems it compromises and uses Internet Relay chat (IRC) channels to send instructions, Symantec said.

"We better understand what it's doing now and after further investigation, it doesn't look like it's self-propagating," said Jonah Paransky, senior manager of security product management at Symantec.

Symantec's confusion stemmed from its misinterpretation of a series of related, but isolated events, he said.

Malicious hackers have been scanning for machines that have the PCT vulnerability, then using exploit code targeted at that security hole to compromise those systems and place the mipsiv Trojan on them. Once installed, mipsiv communicates with the rest of the Internet through the same communications port, 443, that is used by PCT, he said.

However, the Mipsiv code does not contain either worm or bot features and could only have been placed on systems by attackers who compromised the system using the PCT exploit code, or other means, he said.

That means that the effects of the PCT exploit will be felt on targeted networks, whereas a worm or virus that used it could harm systems across the Internet.

Microsoft warned customers about the buffer overrun vulnerability in PCT on April 13 and issued a software patch for affected systems. According to the company's security advisory, MS04-011, the PCT hole could allow a remote attacker to take complete control of affected systems.

  • Share/Email
  • Tweet This
  • Comment
  • Print
Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed