Microsoft hole spawns real attacks, false alarm

Antivirus company, Symantec, has gone back on its claim that it had captured an example of a new Internet worm that takes advantage of a recently-disclosed hole in Windows machines running Secure Sockets Layer (SSL).

On Tuesday, the company trapped an example of the malicious code called backdoor.mipsiv. and warned customers that it was either a new worm or small automated program called a "bot" that exploits a new Windows Private Communications Transport Protocol (PCT) vulnerability, part of the Windows implementation of SSL.

However, on Wednesday, Symantec said further analysis of the code showed that it was neither a worm nor a bot, and didn't use the PCT vulnerability.

Instead, the code, still called backdoor.mipsiv, is described as a Trojan program. Mipsiv is placed on vulnerable machines by malicious hackers, after which it opened communications ports on systems it compromised and used Internet Relay chat (IRC) channels to send instructions, Symantec said.

"We better understand what it's doing now and after further investigation, it doesn't look like it's self propagating," senior manager of security product management at Symantec, Jonah Paransky, said.

Symantec's confusion stemmed from its misinterpretation of a series of related, but isolated events, he said.

Malicious hackers have been scanning for machines that have the PCT vulnerability, then using exploit code targeted at that security hole to compromise those systems and place the mipsiv Trojan on them.

Once installed, mipsiv communicatedwith the rest of the Internet through the same communications port, 443, that was used by PCT, Paransky said.

However, the Mipsiv code did not contain either worm or bot features and could only have been placed on systems by attackers who compromised the system using the PCT exploit code, or other means, he said.

That means that the effects of the PCT exploit will be felt on targeted networks, whereas a worm or virus that used it could harm systems across the Internet.

Microsoft warned customers about the buffer overrun vulnerability in PCT on April 13 and issued a software patch for affected systems. According to the company's security advisory, MS04-011, the PCT hole could allow a remote attacker to take complete control of affected systems.

Sample computer code to exploit the hole appeared on the Internet within days of the warning, prompting Microsoft to issue a warning to customers about the malicious activity.

In recent days, other security experts that monitor malicious activity on the Internet had been warning of increased attacks that use the SSL vulnerability and postulated that a worm may be responsible, but nobody has captured a copy of the malicious code.

The SANS Institute's Internet Storm Center said that it received reports of exploits using the SSL PCT hole and systematic scanning of networks for vulnerable systems, which indicated some kind of "automated tool."

Antivirus and security technology companies compete intensely to be the first to spot and even name new Internet threats like worms and viruses.

Symantec did not jump the gun in an attempt to be the first company to spot the new threat, Paransky said.

"This is a classic tension in the community between letting customers know early and letting them know more information," he said.

The danger posed by the PCT vulnerability and its widespread impact prompted the quick response from the company, which also raised its ThreatCon Rating of global network activity to level three or "High" alert, indicating that an "isolated threat to the computing infrastructure is currently underway or ... malicious code reaches a severe risk rating," according to the company's Web page.

Symantec would leave the ThreatCon Rating in place for at least 24 hours, Paransky said. He could not comment on whether it would be lowered after that.

Despite the false alarm with mipsiv, the increase in scanning for machines vulnerable to the PCT exploit meant that a true worm or other automated attack was likely in the future, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >

Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?