A security firm says the number of machines hijacked by a bot exploiting the MS06-040 flaw has spiked 23% in the past week. Meanwhile, the Randex worm has been modified to target the vulnerability.
Ed Rowley, technical consultant for Alpharetta, Ga.-based messaging security vendor CipherTrust Inc., said Tuesday that the lab has observed the appearance of 265,000 new zombie PCs a day since variants of Mocbot started going after the Windows Server Service flaw.
"Mail volumes have once again reached a high this week, with spam making up 81% of the traffic," Rowley said in a statement. "Much of this increase can be attributed to the spam originating from the new zombies unleashed by the Mocbot worm."
Mocbot first started targeting machines vulnerable to the Windows Server Service flaw about four days after Microsoft released the MS06-040 patch. Security experts have warned that the flaw is easily exploitable and could be targeted by a superworm on the scale of Blaster.
A superworm has yet to appear, but Cupertino, Calif.-based antivirus giant Symantec Corp. warned Tuesday that the Randex worm has been modified to target the flaw.
According to Symantec's analysis, W32.Randex.GEL is a network-aware worm that opens a back door on compromised machines and programs them to listen for additional commands over an Internet Rely Chat (IRC) channel. This could allow attackers to:
As nasty as the worm may sound, Symantec considers it a low-level threat at this time. In fact, the company lowered its ThreatCon to Level 1 Tuesday. It had been set at Level 2 for more than a month due to the MS06-040 flaw and exploits against Microsoft PowerPoint and Excel.