In-Depth

Security Briefs

Microsoft Warns of Critical ASN.1 Vulnerability; More Doom Unleashed

• By Mathew Schwartz
• 02/18/2004

Highly Critical Microsoft ASN.1 Vulnerability

Microsoft issued a “highly critical” warning that its ASN.1 library, a cryptographic and authentication cornerstone of recent operating systems, could give an attacker root access.

Various applications employ ASN.1, especially for cryptography and authentication. According to CERT, for example, “ASN.1 is used by a number of cryptographic and authentication services such as digital certificates (x.509), Kerberos, NTLMv2, SSL, and TLS. Both client and server systems are affected. The Local Security Authority Subsystem (lsass.exe) and a component of the CryptoAPI (crypt32.dll) use the vulnerable ASN.1 library.”

So far, the list of known, affected software includes Microsoft Windows NT 4, 2000, XP, or 2003, used with any of the following: Exchange 5.x, 2000, 2003; IIS 4.0, 5.0, 5.1, and 6.0 (when client certificate parsing is enabled), Internet Explorer, ISAKMP/IPSec, Kerberos, LDAP, NTLMv2 authentication, or Outlook.

According to eEye Digital, which discovered the vulnerability, any application that uses ASN.1 could be used to launch an attack. (See eEye Digital's press release for further details: http://esj.com/vendor_news/article.asp?EditorialsID=101.)

The threat, says CERT, is that “an unauthenticated, remote attacker could execute arbitrary code with the privileges of the process using the ASN.1 library. In the case of most server and authentication applications, an attacker could gain system privileges.”

Microsoft released a patch to fix the problem.

Currently “there are currently no known exploits in the wild for this issue,” says CERT. “Due to the nature of this vulnerability, reliable and successful remote exploitation is considered difficult.”

Link: http://microsoft.com/technet/security/bulletin/MS04-007.asp

New Doomjuice Follows in MyDoom Footsteps

Antivirus vendors warned of two versions of Doomjuice, a virus which scans the Internet for Mydoom-infected computers. Doomjuice then attempts to launch a denial-of-service attack against Microsoft’s Web site.

Here’s the ingenious bit, notes antivirus vendor Kaspersky Labs: “The author of Doomjuice.b uses a server request technique unique for such virus type: the worm's request mimics the Internet Explorer request text. As a result, requests from infected computers may not be blocked, as this technique makes it impossible to distinguish between valid requests and ones generated by Doomjuice.b. This feature potentially increases the destructive capabilities of the worm.”

Doomjuice.b can infect any computer already infected by Doomjuice.a; the newer version uses the backdoor already installed by Doomjuice.a. Infection will be automatic; a user won’t know. The virus doesn’t spread via e-mail.

Doomjuice.b-infected computers have a copy of the worm in the Windows directory with the name regedit.exe. The worm “registers this file in the system registry auto-run key,” says Kaspersky. After installation, the worm watches the computer’s date, then attacks anytime except January, or between the 8th and 12th of a month, attempting to overwhelm www.microsoft.com with GET requests to port 80. The worm also drops a copy of the MyDoom.A source code on the infected hard drive.

Given that the source code of MyDoom wasn’t well known, Mikko Hypponen, director of anti-virus research at F-secure, surmises Doomjuice.b is a method for throwing investigators off the scent. "The authors know the police [are] looking for them. And the best evidence against them would be the possession of the original source code of the virus. Before the Doomjuice incident, only the authors of Mydoom.A had the original source code. Now probably tens of thousands of people have it on their hard drive—without knowing it", says Hypponen.