Mocbot update targets MS06-040 flaw

By Bill Brenner, Senior News Writer 13 Aug 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

A Microsoft spokesman said in an email Sunday that the software giant activated its emergency response process following reports of the malware, which attackers are reportedly using to expand their IRC-controlled botnets. Cupertino, Calif.-based Symantec Corp. is calling the malware W32.Wargbot, while Tokyo-based Trend Micro is calling it WORM.IRCbot-JK and Santa Clara, Calif.-based McAfee Inc. has labeled it IRC-Mocbot!MS06-040.

"At this time the attack does not appear to be self replicating and only impacts computers running Windows 2000 who have not applied the MS06-040 security update," the Microsoft spokesman said, adding that the company considers the malware a low-level threat because it is not aware of any widespread customer impact. Nevertheless, he said, "The Microsoft Security Response Center remains on high alert and continues to recommend that customers apply the August security updates."

While Microsoft considers this a low-level threat, other security experts urged IT professionals to take the latest malware seriously.

"Automated botnet malware has been using [the MS06-040 flaw] to infect machines and then scan for new machines to infect," Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security Inc., warned in a message on the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies LLC. "If you have not installed the patch for MS06-040, then you're at risk and need to get a move on."

Maiffret said that when the malware infects a machine, it downloads a botnet program that then connects to IRC chat servers in China and elsewhere, allowing attackers to control the machine to do "whatever they want," including the ability to flood other systems with a distributed denial-of-service (DDoS) attack.

Chicago-based security management firm LURHQ Corp. has posted an analysis of the malware. The company said there were a couple variants circulating Sunday, and that the code itself is not new. Rather, it is a modified version of the Mocbot-A malware that has been changed to go after machines vulnerable to the Windows Server Service flaw outlined in MS06-040.

"Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread," LURHQ said. "Since it is a fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary antivirus write-ups and signatures."

Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040, LURHQ said. "Primarily, Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems."

The Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that it has received samples and infection reports from several sources and it appeared there are two different binaries involved.

The ISC also noted that such antivirus vendors as Trend Micro, McAfee and Helsinki, Finland-based F-Secure Corp. have started to offer protection against the malware.

Security experts have warned of the potential of a worm attack since MS06-040 was released Tuesday, describing the flaw as easily exploitable. Even the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, sent out a public advisory urging Windows users to install the MS06-040 patch as soon as possible.

Within hours of the patch release, H.D. Moore, co-creator of the Metasploit Framework, and other researchers started making exploit code available.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary