August 2006 Archives

Joe wrote in his comment from my previous entry:

I think this pertains to the issue:

http://www.eweek.com/article2/0,1895,2004893,00.asp

As I often do, my response back got to be rather lengthy so I decided to make a new Entry for it.

Yeap, in this particular case they're using the vulnerability that I wrote about, MS06-040. BotNets are really common and are these days a primary goal of someone writing Malware. Usually the Bots (or Zombies as they are sometimes called) are used for sending spam just like the E-Week article, other times they are used to overload a website and take it down.

A few years back that is what happened to several major websites as BotNets were used to send millions of "hello" packets to major corporations to keep their websites from coming up for real visitors. These "hello" packets are a type of TCP (Transmission Control Protocol) packet called a SYN (Synchronize) packet which is the very first packet two computer "speaking" TCP send. The first three packets two TCP speakers send are called the SYN/ACK handshake, with the first machine sending a SYN packet, the next machine sending it's own SYN packet which also has an ACK (Acknowledgement) flag within it back to the initial speaker, and finally the initial speaker sending it's own ACK (no SYN this time, notice) back to the second speaker. After all of that both machines can send data via TCP back and forth.

Now what happens in the SYN Flood attack that I was mentioning is that you have a BotNet send millions of the SYN packets to a target website. The machines that make up the target website have to send SYN/ACK packets back and wait for the final ACK back. Thing is that usually the BotNets will forge their source address so no one ever answers those SYN/ACK packets back to the website machines. They can only send a certain number of those before they can't answer anyone else and so they can't do anything.

Since everyone knows this happens there has been many mechanisms created to prevent this type of attack from working. AOL and Foundry Networks have a patent on one such method for example. Unfortunately if an attacker has a large enough BotNet, then he can actually allow the machines to complete the SYN/ACK handshake and continuously request information from the website which will flood the website and still keep legitimate viewers from seeing the website.

Okay, that took a little bit of a side turn, but that's me, always wondering around with my words!

Basically, everytime the good guys figure out a way to prevent an attack, the bad guys go and find another annoying thing to do to bug people.

Microsoft released their normal monthly patches today. Unfortunately today's set of patches included one that is anything but normal. MS06-040 looks to be exploitable via network ports 139 and 445. This means that a crafty person could create their own application that connects out to machines listening on port 139/445, send a specifically crafted packet that takes advantage of the Microsoft vulnerability and installs itself on the victim's machine, and then the victim's machine starts scanning and repeating the process. The US CERT is already reporting that there are exploits available in the wild, it could be a very bad night!

This isn't anything new though, this is at least the 4th time Microsoft has allowed this type of vulnerability to exist. The first major one was MS-SQL Slammer. That one was particularly nasty in that it did not have any timing mechanisms to slow down how fast it would spread. Since it was based on UDP, it didn't even bother seeing if the remote machine was up or listening on the vulnerable port, it just sent out UDP packets that were very small and infected millions of machines throughout the world in a matter of hours.

The next major event was Blaster that happened the following summer after SQL Slammer. It took advantage of a DCOM vulnerability and also caused havok throughout the world. Nachi was released close on the heels of Blaster then Welchi came along a little later.

Finally just last year a WinPNP vulnerability was released, it however did not have that large of an impact on the world, perhaps individuals and companies have finally learned to patch quickly when Microsoft tells you to? Hopefully todays vulnerability will be nothing but a minor annoyance as well. If so, then perhaps it is because of lots of people doing the right thing instead of waiting for months and months between patching of their Windows systems.

I really hope I'm wrong and nothing comes of this, this is one time I don't mind being wrong!