The warning comes after several security programmers released source code that makes it easy for an attacker to take control of any Windows computer that has not applied a patch released by Microsoft.
The software flaws targeted by the exploit code are two critical vulnerabilities that the software giant warned about on 13 April.
"From January to March [of this year], we mainly saw mass-mailing worms," said Vincent Weafer, senior director for security company Symantec's security response centre. "Between now and the end of summer, it's likely [that] we'll see... a Blaster-type event."
Currently, Symantec and the Internet Storm Centre, a site that monitors network threats, have both detected automated attacks on computers that have not had the recent security holes patched. An exploit that uses a vulnerability in the private communications transport (PCT) feature of Windows Web servers, known as Microsoft Internet Information Servers (IIS), has compromised systems at many companies, Ullrich said.
While some news reports have theorised that a new worm is on the loose, the data traffic caused by the attacks has not risen to the level typically seen with worms, said Johannes Ullrich, chief technology officer for the Internet Storm Centre.
"It's nothing I would call a worm yet, but companies are being hit with the code," he said. "It is not as prevalent as I would have thought by now."
The Internet Storm Centre, which is operated by the SANS Institute, has also found evidence of code that takes advantage of another, more widespread vulnerability. That flaw, in a Windows security component known as the Local Security Authority Subsystem Service (LSASS), has been added to an automated attack agent, or bot, known as AgoBot. Such programs run invisibly on a compromised computer, giving an intruder full control of the system and the ability to use the PC in attacks.
Symantec confirmed that it has also captured a version of the AgoBot program, known as PhatBot, that appears to have the ability to attack systems through the LSASS vulnerability. While that is a worry, the greater threat would be a fully automated worm, Weafer said. He added that, in scope and ease of attack, the LSASS exploit is similar to the one that allowed the MSBlast worm to spread so widely.
In fact, the anticipation of a major Internet attack has risen to a level comparable to that prior to the MSBlast worm that launched last August and ended up infecting more than 8 million computers by the end of March. On Wednesday Microsoft updated the number of computers cleaned of MSBlast to 9.5 million.
The two flaws threaten different pieces of the computing infrastructure. The PCT vulnerability puts Web servers that use Secure Sockets Layer encryption features at risk. Such servers are common in e-commerce applications, allowing intruders to target high-value computers with the vulnerability. The LSASS flaw affects almost every Windows computer that has not yet been patched, leaving the door open to a worm attack.
"They are very different in terms of the types of machines that the exploit would target," said Stephen Toulouse, security program manager for Microsoft's Security Research Centre.
Although a worm has not yet been created, the danger from would-be intruders using the most recent exploit programs is still real, the Internet Storm Centre's Ullrich said. The centre, which tracks attacks and worms by analyzing firewall records, indicated that would-be intruders are scanning companies for vulnerable systems, and when they find such systems, they attack.
"In a couple [of] minutes, we've seen whole IIS server farms taken out," he said.
The situation has Microsoft reiterating its plea for patching. "We urge all our customers to apply the updates as soon as possible," said the software giant's Toulouse.
More information on the flaws and the patches can be found on Microsoft's security site.
Talkback
What dumb security Mother-Fucker would write code and release it to the public to try to take over computer systems. Are these guys out here to help or hurt us??? These guys are chopping at the bit and are so anxious to announce that they have discovered a flaw. Their self-pontification is then extended in an attempt to hold software companies hostage with threats of embarrassment and consequences. This is a classic example of fueling your own industry. Worldwide governments need to investigate the Virus writers that disguise themselves as a legitimate security companies claiming to help the consumer. Well I say BULL-SHIT!
Whereas I agree whole-heartedly with DA MAN's description of Virus Writers, they also strike me as rather destructive and very childish, in a sad way, a way in which very few (disturbed ) children behave. If you caught a Virus writer, and asked him/her to explain such vicious actions the reply I fear would come back "Because I can" What must their poor little lives have been like,when they WERE children. I once caught a child, only a wee lad pulling the wings off a Butterfly, my question "Why"? earned the reply "Pretty an' I hate 'em". I see virus writers as human Ebola they see computer addicts as happy and settled enjoying our machines - Shucks! they hate us, We are their PREY, we should PRAY for them
Bit of a double-edged sword this one. While I can see that a security company could (and probably should) be able to threaten a company like Microsoft that code would be released if the software isn't fixed, should that company still release it if a fix is released? Seems to me that's just asking for trouble.