Antivirus company Symantec has backtracked after claiming it captured an example of a new Internet worm that takes advantage of a recently-disclosed hole in Windows machines running Secure Sockets Layer (SSL).
On Tuesday, the company trapped an example of the malicious code called backdoor.mipsiv. and warned customers that it was either a new worm or small automated program called a "bot" that exploits a new Windows Private Communications Transport Protocol (PCT) vulnerability, part of the Windows implementation of SSL. However, on Wednesday, Symantec said further analysis of the code shows it is neither a worm nor a bot, and doesn't use the PCT vulnerability.
Instead, the code, still called backdoor.mipsiv, is described as a Trojan horse program. Mipsiv is placed on vulnerable machines by malicious hackers, after which it opens communications ports on systems it compromises and uses Internet Relay chat (IRC) channels to send instructions, Symantec representatives say.
"We better understand what it's doing now and after further investigation, it doesn't look like it's self propagating," says Jonah Paransky, Symantec senior manager of security product management.
Security Buzz
Symantec's confusion stemmed from its misinterpretation of a series of related, but isolated events, he says.
Malicious hackers have been scanning for machines that have the PCT vulnerability, then using exploit code targeted at that security hole to compromise those systems and place the mipsiv Trojan on them. Once installed, mipsiv communicates with the rest of the Internet through the same communications port, 443, that is used by PCT, he says.
However, the Mipsiv code contains neither worm nor bot features, and could only have been placed on systems by attackers who compromised the system using the PCT exploit code, or other means, he says. That means the effects of the PCT exploit will be felt on targeted networks. A worm or virus that used it could harm systems across the Internet.
Microsoft warned customers about the buffer overrun vulnerability in PCT on April 13 and issued a software patch for affected systems. According to the company's security advisory, MS04-011, the PCT hole could allow a remote attacker to take complete control of affected systems.
Sample computer code to exploit the hole appeared on the Internet within days of the company's notice. This prompted Microsoft to issue a warning to customers last week about the malicious activity.
Other Reports
In recent days, other security experts who monitor malicious activity online have warned of increased attacks that use the SSL vulnerability. They postulated a worm is responsible, but no one has captured a copy of the malicious code.
The SANS Institute's Internet Storm Center said Tuesday it received reports of exploits using the SSL PCT hole and systematic scanning of networks for vulnerable systems, which indicated some kind of "automated tool."
Antivirus and security technology companies compete intensely to be the first to spot and even name new Internet threats like worms and viruses.
Symantec did not jump the gun in an attempt to be the first company to spot the new threat, Paransky says. "This is a classic tension in the community between letting customers know early and letting them know more information," he says.
The danger of the PCT vulnerability and its widespread impact prompted the quick response from the company, which also raised its ThreatCon Rating of global network activity to level three or "High" alert. That designation indicates an "isolated threat to the computing infrastructure is currently underway or ... malicious code reaches a severe risk rating."
Symantec will leave the ThreatCon Rating in place for at least 24 hours, Paransky says. He says he cannot comment on whether it would be lowered after that.
Despite the false alarm with mipsiv, the increase in scanning for machines vulnerable to the PCT exploit means that a true worm or other automated attack is likely in the future, he adds.
Ad Choices