Botnets spike in wake of Windows flaw

Bill Brenner
A security firm says the number of machines hijacked by a bot exploiting the MS06-040 flaw has spiked 23% in the past week. Meanwhile, the Randex worm has been modified to target the vulnerability.


    Requires Free Membership to View

Rowley, technical consultant for Alpharetta, Ga.-based messaging security vendor CipherTrust Inc., said Tuesday that the lab has observed the appearance of 265,000 new zombie PCs a day since variants of Mocbot started going after the Windows Server Service flaw.

"Mail volumes have once again reached a high this week, with spam making up 81% of the traffic," Rowley said in a statement. "Much of this increase can be attributed to the spam originating from the new zombies unleashed by the Mocbot worm."

Mocbot first started targeting machines vulnerable to the Windows Server Service flaw about four days after Microsoft released the MS06-040 patch. Security experts have warned that the flaw is easily exploitable and could be targeted by a superworm on the scale of Blaster.

A superworm has yet to appear, but Cupertino, Calif.-based antivirus giant Symantec Corp. warned Tuesday that the Randex worm has been modified to target the flaw.

According to Symantec's analysis, W32.Randex.GEL is a network-aware worm that opens a back door on compromised machines and programs them to listen for additional commands over an Internet Rely Chat (IRC) channel. This could allow attackers to:

  • Download and execute files
  • List, stop, and start processes and threads;
  • Launch a denial-of-service attack;
  • Open a command shell on the compromised computer;
  • Create a proxy server; and
  • Log keystrokes.

    As nasty as the worm may sound, Symantec considers it a low-level threat at this time. In fact, the company lowered its ThreatCon to Level 1 Tuesday. It had been set at Level 2 for more than a month due to the MS06-040 flaw and exploits against Microsoft PowerPoint and Excel.

  • There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: