Worms that Fail to Turn
First Published: X-Force Monthly Magazine

A couple times each year we see Microsoft release fixes for a vulnerability that sends system administrators, security researchers, blackhats and worm writers scrambling.  This years first was MS06-040, or more specifically, the August buffer overflow in the Microsoft Windows Server Service.

What made this vulnerability significant was not so much that it appeared to be a remotely exploitable buffer overflow (there are literally hundreds of these each year), but the fact that the vulnerable Server Service is an application that runs by default on all currently supported Windows versions while listening on two common ports (TCP 139 and 445), and any attempts to disable the service would effectively make the host unusable from an enterprise network perspective.

Consequently, there were a lot of researchers racing to understand the vulnerability and write reliable exploits for it.  As anticipated, within 24 hours the first ‘commercial’ exploits were released (i.e. code included as part of commercial penetration testing tool suites), with first-generation ‘public’ exploits appearing the following day.

Then, within a day of public release of the exploit code, the first worms started trawling the Internet for unpatched hosts.

While there were eventually many worms that incorporated the public exploit for MS06-040, only two were worthy of more than a footnote in the grand scheme of things.  These worms contained updated variants of the Sdbot and Mocbot bot agents – both of which have been around for quite some time (the Mocbot first appeared in late 2005 using the MS05-039 PNP vulnerability) – and yet still managed to initially slip by many signature-based anti-virus engines.

Both of these bot-worms are very efficient propagators, yet they failed to achieve as much damage as less sophisticated worms have in the past.

Why was that the case?  While there are many contributing factors, two reasons stand above all others to me.  Firstly, enterprise security is actually getting better – organizations are patching faster, they are using perimeter defenses, they are using host protection, they are using content filters, and they are keeping all these components up to date – defense in depth really does work.  Secondly, the exploits which were initially released proved to be unreliable and affected only certain versions of windows – i.e. they were crippled – which gave organizations more time to update vulnerable hosts and increase protection.

It would seem that, in their rush to be first out with public exploit code, many researchers failed to comprehensively analyze the fix Microsoft had provided for MS06-040 and had focused on the first (most visible) vulnerability.  By doing so, they missed other vulnerabilities within the Server Service that had also been fixed (Microsoft often fixes multiple vulnerabilities within a single patch or bulletin), including one which could be exploited much more reliably.  In fact it was almost an entire week after the patch release before public exploits were updated to utilise the more reliable vulnerability and exploit vector.

In effect, since these bot-worms initially relied upon crippled exploits that had been publicly disclosed as part of the Metasploit project, many organizations had a timely reprieve.  If the worm writers had have had access to the exploits developed for the commercial penetration testing tools (such as Canvas and Core Impact) and exploited the less obvious vulnerabilities, there is little doubt that they would have been considerably more successful in propagating.

However, even if they had utilized the later, more reliable exploits, it is still unlikely that they would have caused the kinds of damage seen two or three years ago.  Enterprise networks are, in general, more secure than they used to be – and are better capable of thwarting this class of threat.  With that said, a new class of bot-worm which exploited Cisco IOS and propagated from router to router is a threat that very few Enterprises could contend with – so don’t get too comfortable just yet.
    Copyright 2001-2007 © Gunter Ollmann