Windows Plug and Play has a new enemy

By Bill Brenner, News Writer 24 Oct 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts are warily watching exploit code targeting flaws that Microsoft patched this month. But a new bot on the scene shows the bad guys haven't given up on an older attack vector they successfully plowed through two months ago with worms like Zotob.

((Content component not found.)) According to Finnish antivirus firm F-Secure Corp., Mocbot-A initially appeared to target the "important" Windows Plug and Play vulnerability that Microsoft patched Oct. 11 in its MS05-047 bulletin.

The software giant said attackers could exploit the flaw, which takes advantage of the Windows elements that support hardware hot-swapping, to remotely launch malicious code or gain elevated user privileges. Windows 2000 SP4, XP SP1 and XP SP2 are affected.

But F-Secure researchers determined the bot targets an earlier Plug and Play flaw Microsoft patched Aug. 9 in MS05-039. That flaw has already been attacked by a number of Trojan horses, bots and worms, most notably Zotob.

"After further analysis, it turned out the actual vulnerability [Mocbot targets] is not MS05-047 but the old MS05-039," F-Secure said in its daily lab blog. "The confusion was caused by the exploit code used by Mocbot, which resembles publicly available exploit code for MS05-047. Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms."

For more information Get expert advice on beating back the bots. Check out our Topics page on Trojans, backdoors and bots.

Mikko Hypponen, F-Secure's director of AV research, said in an e-mail exchange that it looked as though Mocbot's creators were trying to build a large botnet. But the command servers seemed to be down and "it's going nowhere at the moment," he said. He added that the activity is coming from Russia.

Mocbot details
F-Secure said that when Mocbot's file is started, it copies itself to the Windows system folder as "wudpcom.exe" then creates a service with the following attributes:

Service path: wudpcom.exe

Service name: Windows UDP Communication

F-Secure said when the bot is active, it connects to an IRC server, joins a certain channel and acts as a bot there. It uses the following IRC servers: bbjj.househot.com and ypgw.wallloan.com. "The bot [then] joins to a password-protected IRC channel where the hacker can send commands to the bots to control infected computers," F-Secure said.

Mocbot impact?

Though it's proven to be a dud thus far, its appearance raises two questions:

• Could Mocbot's creators adjust their tactics and come up with a way to target the newer Plug and Play flaw?
• Could the bot go after the original Plug and Play flaw with the same fury as Zotob?

To both questions, Hypponen's answer was maybe, but not likely.

Using Mocbot to fashion an attack on the new flaw could be done, he said, "but it wouldn't be that simple. There is public exploit code against MS05-047, but this code could not be used directly to create a worm." And, he added, "As there's no suitable exploit floating around, we don't expect to see a worm using the [newer] vulnerability just yet."

Tags: Securing Productivity Applications,  Security Patch Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Securing Productivity Applications Adobe ColdFusion websites being compromised Adobe fixes critical Shockwave Flash Player flaw Adobe issues first quarterly patch release fixing 13 flaws Adobe shifts to Microsoft patching process, incident response plan Balancing security and performance: Protecting layer 7 on the network Software Piracy pandemic needs government role, better vendor antipiracy plans McAfee to acquire Solidcore Systems for whitelisting Adobe issues Reader update fixing zero-day flaw Microsoft to patch critical PowerPoint zero-day flaw PCI DSS: Best practices for compliance Security Patch Management Adobe fixes critical Shockwave Flash Player flaw Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary sheepdip  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary