16. Network Protocol Fuzzing:Automation on Windows

“I couldn’t imagine somebody like Osama bin Laden understanding the joy of Hanukkah.”

—George W. Bush, White House Menorah lighting ceremony, Washington, DC, December 10, 2001

Although UNIX systems might dominate in the server room, there are more installations of the Microsoft Windows operating system worldwide, which make it an equally coveted attack target. Vulnerabilities affecting the Windows desktop are frequently leveraged in the creation of the many bot nets in existence today. Consider the Slammer worm,^[1] which exploits a buffer overflow in Microsoft SQL Server, as a demonstration of the power of a network enabled Windows vulnerability. The vulnerability was addressed in Microsoft Security Bulletin MS02-039^[2] on July 24, 2002 and the Slammer worm surfaced on January 25, 2003. The worm has virtually no payload; it simply utilizes the infected host to scan for and spread to other infected machines.^[3] Despite its lack of payload, the aggressive scanning generated enough traffic to cause disruption of the Internet, credit card processing, and in some cases cell phone network availability. What is most interesting is that even after four years, the Slammer worm is still among the top five most seen traffic-generating events.^[4], ^[5] Clearly an exposed network vulnerability in Windows has far-reaching implications.

^[1] http://www.cert.org/advisories/CA-2003-04.html

^[2] http://www.microsoft.com/technet/security/bulletin/MS02-039.mspx

^[3] http://pedram.openrce.org/__research/slammer/slammer.txt

^[4] http://isc.sans.org/portreport.html?sort=targets

^[5] http://atlas.arbor.net/