Quickfire hackers exploit Microsoft vulnerability

Hackers are circulating a computer programme capable of exploiting a critical vulnerability in Windows operating systems, less...

Hackers are circulating a computer programme capable of exploiting a critical vulnerability in Windows operating systems, less than a week after the problem was first disclosed by Microsoft.


The programme, which is designed to launch denial-of-service attacks on Windows servers, could be used by hackers to disable corporate IT systems.


Its appearance on the internet has heightened the need for organisations to patch their systems quickly, said Richard Starnes, director of incident response at Cable & Wireless Managed Security Services.


Reports from the Sans Internet Storm Centre, which analyses attacks on the internet, suggest that hackers are already using the code to launch denial of-service attacks.


Cable & Wireless ran tests on the code, which exploits an a buffer overflow vulnerability in Microsoft’s ASN.1 library in Windows 2000 and, potentially, other Windows versions, over the weekend.


Starnes said he was concerned that hackers could incorporate the exploit, designed to attack ports 445 and 139, into a new generation of worms capable of propagating on company networks.


“I don’t think we are going to see anything very quickly by way of an attack or a new worm, because it takes time to develop these things. But that does not mean that hackers are not going to get hold of a copy of MyDoom and put their code in it,” he said.


Although many businesses block ports 445 and 139, a worm could wreak havoc if it entered a company’s internal systems.


“Organisations should make sure they are implementing proper external and internal security for 445 and 139. They should get their signatures for this vulnerability on their intrusion detection systems updated as soon as possible,” he said.


Consumers with broadband could be particularly vulnerable to a new worm, providing it with a launch pad for attacks against businesses, Starnes warned.


The Sans Internet Storm Centre has reported an upsurge in activity on port 445, suggesting that the exploit is already in use.


The exploit appeared on the internet on 14 February, four days after Microsoft released its patch.


The analysis by C&W  has verified that the code is capable of attacking port 445 on Windows XT and Windows 2000, but the company has not yet been able to replicate attacks on 139.

Read more on Hackers and cybercrime prevention