Biography of a Worm

Aliso Viejo, California, October 8, 2003

Bug Buster Yuji Ukai of EEye Digital Security hunts for Windows vulnerabilities.
Photograph: Andrew Brandt
Yuji Ukai is paid to find new ways to infiltrate your PC. Long after normal working hours at EEye Digital Security, where Ukai works on "vulnerability management" software (which large companies use to protect their computer networks from hack attacks), he's still in front of his office workstation.

He should be home, but instead he has opted to have a little fun. And in Ukai's world, "fun" means searching like a bloodhound for security flaws in the millions of lines of software code that power the most widely used operating system in the world.

EEye's products try to anticipate where hackers will strike next and to throw a blockade in their path. Its customers expect EEye to protect their computers even when there's no official fix for a problem. As a result, researchers at businesses like EEye constantly dig into Windows, looking for weaknesses that nobody else knows about.

The company's record speaks for itself: During the past 30 days, Ukai and his colleagues have discreetly notified Microsoft about six new Windows vulnerabilities they've discovered. Ukai found one of them, an unused command in a part of Windows called the Workstation Service.

Something tells him that other parts of the system have this same vulnerability. So tonight he's digging through DLL files, looking for the flaw. He starts out by checking other services--programs running various portions of the Windows operating system--that are turned on by default.

Almost immediately he finds another hole. And this one is inside the Big Kahuna: the Local Security Authority Subsystem Service. LSASS controls all aspects of security for the local Windows machine. He can get it to shut down, so Windows doesn't have any protection for a short period of time; he can also get LSASS to run a program of his choosing, thereby turning Windows' "security guard" into an insider that's working for him--one that can take control of Windows 2000 and Windows XP PCs. Hackers could do the same thing if they knew about the security flaw and were skilled enough to take advantage of it.

Ukai informs his boss that he's discovered a surprisingly easy method of controlling LSASS. Within hours, executives at EEye are on the phone to Microsoft. A significant portion of the world's computers have a major security hole. Fortunately, only EEye and Microsoft (as far as they're aware) know about it. Now, Microsoft must fix the problem before anyone else finds out.

The service EEye provides protects its customers, but it also creates two classes of Windows users: Those who are protected from newly discovered vulnerabilities (EEye's customers), and the rest of us, who must wait (sometimes months) for a patch and who remain ignorant of looming potential problems with our PCs.

Redmond, Washington, October 8, 2003

Windows Bug Stompers: The Microsoft Security Response Center's core members include (from left) Amy Carroll, Kevin Kean, Stephen Toulouse, and Richie Lai.
Windows Bug Stompers: The Microsoft Security Response Center's core members include (from left) Amy Carroll, Kevin Kean, Stephen Toulouse, and Richie Lai.
At the Microsoft Security Response Center (MSRC), an ordinary-looking office space in the heart of the software giant's campus, the team's ten top members are scrambling around like emergency-room physicians to triage a wounded Windows.

The triage team first analyzes the report and reproduces the problem, says Kevin Kean, director of the MSRC. Next, they bring in the Secure Windows Initiative (SWI) group--the SWAT team for Windows security bugs--programmers and product managers, who create a fix. Once they have a good idea of how to patch the bug, the MSRC goes through a lengthy, in-depth test rollout "to make sure we have a quality fix," says Kean.

The LSASS case quickly grows into a mammoth undertaking. In less than a week, the ten analysts bring aboard hundreds of programmers, product managers, and bug testers.

Despite the potential for catastrophe, Kean and Stephen Toulouse, the company's security program manager, breathe somewhat easier because EEye abides by the software industry's gentlemen's agreement known as responsible disclosure. Under these unofficial guidelines, the discoverer of a vulnerability gives the affected software company adequate time to work out a solution before the discoverer announces technical details to the world.

Responsible disclosure temporarily protects the public, at least in theory. Had EEye immediately posted these details online, Kean's team would have faced the nightmare of trying to fix a security hole at the same time as hackers were launching new viruses or worms. But keeping the details quiet can create a false sense of security, too. While Microsoft works on the patch, a criminal hacker might discover and covertly exploit the hole.

Kean says that most security researchers now refrain from posting details until after the patch comes out--a practice that used to be quite rare. As a result, Microsoft can focus on producing patches that don't cause additional problems. But that process requires testing--lots and lots of testing, in this case.

Tracking the Sasser Worm

More than six months passed before Microsoft released a patch for the LSASS vulnerability. But it took only 18 days for the Sasser worm to appear, and less than a week for it to affect up to a million PCs. Meanwhile, the lead suspect has yet to go to trial.

Subscribe to the Security Watch Newsletter

Comments