Attacks against MS06-040 on the rise

By Bill Brenner, Senior News Writer 01 Sep 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Thursday, Cupertino, Calif.-based antivirus giant Symantec Corp. raised its ThreatCon to Level 2 -- signaling an increased risk of attacks -- after observing an increase in malicious activity over that port.

Symantec said its honeypots have observed ongoing and frequent attacks against the Windows Server Service remote buffer overflow flaw via TCP port 139, and that six known bots are now exploiting the vulnerability.

"The potential impact of these threats is exaggerated due to reports of successful compromise of Windows NT systems, for which there is no patch available, by at least one of the six bots targeting the vulnerability," Symantec said. "The exploits for at least some of these bots also function against Windows 2000 and XP targets."

Symantec's DeepSight Threat Management Service recommended network administrators restrict access to TCP port 139 and 445 at the network perimeter and make sure antivirus definitions are up to date.

More on MS06-040 Botnets spike in wake of Windows flaw Fear and loathing in MS06-040's wake August patch management woes strike again Mocbot update targets MS06-040 flaw Microsoft's fixes 23 flaws, DHS urges action

The Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that it has received "all kinds of emails about the recent increase in scanning on port 139."

Much of the ISC's analysis focused on the Randex worm, which started targeting MS06-040 last week.

Botnet masters have also targeted MS06-040 using Mocbot. Last week, Alpharetta, Ga.-based messaging security vendor CipherTrust Inc. said it had observed a 23% spike in botnets during that week, partly because of Mocbot infections.

But so far the Blaster-sized superworm some experts have warned of since Microsoft released MS06-040 Aug. 8 has failed to materialize.

The ISC said IT shops can mitigate the risk associated with the MS06-040 flaw by updating antivirus programs at least daily, deploying patches quickly and blocking ports 139 and 445 at the router/firewall.

"Since cleaning botnets is pretty much impossible, prevention is the key," ISC handler Joel Esler wrote on the Web site. "If you do get hit with a botnet infection running throughout your network, my general recommendation is [to] rebuild the box."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware iPhone worm Rickrolls jailbroken phones Israeli Mossad add Trojan Horse to Syrian laptop Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary