Windows Plug and Play has a new enemy

By Bill Brenner, News Writer 24 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts are warily watching exploit code targeting flaws that Microsoft patched this month. But a new bot on the scene shows the bad guys haven't given up on an older attack vector they successfully plowed through two months ago with worms like Zotob.

((Content component not found.)) According to Finnish antivirus firm F-Secure Corp., Mocbot-A initially appeared to target the "important" Windows Plug and Play vulnerability that Microsoft patched Oct. 11 in its MS05-047 bulletin.

The software giant said attackers could exploit the flaw, which takes advantage of the Windows elements that support hardware hot-swapping, to remotely launch malicious code or gain elevated user privileges. Windows 2000 SP4, XP SP1 and XP SP2 are affected.

But F-Secure researchers determined the bot targets an earlier Plug and Play flaw Microsoft patched Aug. 9 in MS05-039. That flaw has already been attacked by a number of Trojan horses, bots and worms, most notably Zotob.

"After further analysis, it turned out the actual vulnerability [Mocbot targets] is not MS05-047 but the old MS05-039," F-Secure said in its daily lab blog. "The confusion was caused by the exploit code used by Mocbot, which resembles publicly available exploit code for MS05-047. Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms."

For more information Get expert advice on beating back the bots. Check out our Topics page on Trojans, backdoors and bots.

Mikko Hypponen, F-Secure's director of AV research, said in an e-mail exchange that it looked as though Mocbot's creators were trying to build a large botnet. But the command servers seemed to be down and "it's going nowhere at the moment," he said. He added that the activity is coming from Russia.

Mocbot details
F-Secure said that when Mocbot's file is started, it copies itself to the Windows system folder as "wudpcom.exe" then creates a service with the following attributes:

Service path: wudpcom.exe

Service name: Windows UDP Communication

F-Secure said when the bot is active, it connects to an IRC server, joins a certain channel and acts as a bot there. It uses the following IRC servers: bbjj.househot.com and ypgw.wallloan.com. "The bot [then] joins to a password-protected IRC channel where the hacker can send commands to the bots to control infected computers," F-Secure said.

Mocbot impact?

Though it's proven to be a dud thus far, its appearance raises two questions:

• Could Mocbot's creators adjust their tactics and come up with a way to target the newer Plug and Play flaw?
• Could the bot go after the original Plug and Play flaw with the same fury as Zotob?

To both questions, Hypponen's answer was maybe, but not likely.

Using Mocbot to fashion an attack on the new flaw could be done, he said, "but it wouldn't be that simple. There is public exploit code against MS05-047, but this code could not be used directly to create a worm." And, he added, "As there's no suitable exploit floating around, we don't expect to see a worm using the [newer] vulnerability just yet."

Tags: Securing Productivity Applications,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Adobe issues security advisory for Flash zero-day flaw When to use the service features of the Metasploit hacking tool How to manage patches for Adobe Security Patch Management Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe When is it suitable to remove Java updates?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary