Autorooter worm attacks Windows RPC flaw

By Alun Williams

Posted on 4 Aug 2003 at 15:55

The US Department of Homeland Security's concerns that hackers were preparing viruses to take advantage of a recently discovered flaw in Windows have been vindicated, with the arrival of the Autorooter worm.

The almost inevitable sequence of events - from a vulnerability being identified to exploits for it entering widespread use - have been squashed into a couple of weeks.

Just two weeks following Microsoft's warning of a Windows vulnerability in the handling of the RPC (Remote Procedure Call) protocol - which allow programs running on one computer to run code on another - Kaspersky Labs has flagged the arrival of the 'Autorooter' Internet worm, which attacks vulnerable Windows NT, 2000 and XP systems.

Kapersky describes 'Autorooter' as a hybrid - part Internet worm and part backdoor Trojan. The self-replication segment of the worm, however, is not activated. But the company predicts that the author of the worm may well activate the self-replication functions, leading to widespread dispersal.

And the bad news is that there could be more bad news on the way. 'We believe that this version of "Autorooter" is only the experimental one. A more viable version is likely to appear and cause serious damage to the Internet', commented Eugene Kaspersky, Head of Anti-Virus Research for Kaspersky Labs, 'It is possible that the author of 'Autorooter' wanted to create a network of infected computers to prepare a global virus epidemic or perform a global hacker attack'.

Kaspersky Labs strongly recommends that all users download the relevant Microsoft patch and block TCP ports 135, 139 and 445 using their firewalls.

On Friday we reported - that the American Department of Homeland Security (DHS) was warning of the threat from viruses that would exploit the known Windows vulnerability.

The department reported a significant increase in scanning activity for systems susceptible to the exploit over the previous few days. The flaw, for which a patch is available, relates to Microsoft's particular handling of RPC - Critical hole in Microsoft's Windows.

The vulnerability affects the NT line of Windows: from NT 4.0 through to Windows XP and Windows Server 2003, Microsoft's most recent big product launch. There is an error in the way the protocol is used to check messages sent over TCP/IP which can be exploited by sending malformed messages, giving a successful attacker local system privileges through the target system.

RPC messages run on port 135, and Microsoft says that systems behind a firewall should already be protected from attacks from the Internet.