Security experts are warning IT administrators to restrict access to TCP port 139 and update antivirus programs...
daily, as attacks against the MS06-040 flaw increase.
Thursday, Cupertino, Calif.-based antivirus giant Symantec Corp. raised its ThreatCon to Level 2 -- signaling an increased risk of attacks -- after observing an increase in malicious activity over that port.
Symantec said its honeypots have observed ongoing and frequent attacks against the Windows Server Service remote buffer overflow flaw via TCP port 139, and that six known bots are now exploiting the vulnerability.
"The potential impact of these threats is exaggerated due to reports of successful compromise of Windows NT systems, for which there is no patch available, by at least one of the six bots targeting the vulnerability," Symantec said. "The exploits for at least some of these bots also function against Windows 2000 and XP targets."
Symantec's DeepSight Threat Management Service recommended network administrators restrict access to TCP port 139 and 445 at the network perimeter and make sure antivirus definitions are up to date.
Much of the ISC's analysis focused on the Randex worm, which started targeting MS06-040 last week.
Botnet masters have also targeted MS06-040 using Mocbot. Last week, Alpharetta, Ga.-based messaging security vendor CipherTrust Inc. said it had observed a 23% spike in botnets during that week, partly because of Mocbot infections.
But so far the Blaster-sized superworm some experts have warned of since Microsoft released MS06-040 Aug. 8 has failed to materialize.
The ISC said IT shops can mitigate the risk associated with the MS06-040 flaw by updating antivirus programs at least daily, deploying patches quickly and blocking ports 139 and 445 at the router/firewall.
"Since cleaning botnets is pretty much impossible, prevention is the key," ISC handler Joel Esler wrote on the Web site. "If you do get hit with a botnet infection running throughout your network, my general recommendation is [to] rebuild the box."