News Stay informed about the latest enterprise technology news and product updates.

Windows Plug and Play has a new enemy

Mocbot targets an already-exploited security hole Microsoft patched in August. Could it be the next Zotob?

Security experts are warily watching exploit code targeting flaws that Microsoft patched this month. But a new bot on the scene shows the bad guys haven't given up on an older attack vector they successfully plowed through two months ago with worms like Zotob.

According to Finnish antivirus firm F-Secure Corp., Mocbot-A initially appeared to target the "important" Windows Plug and Play vulnerability that Microsoft patched Oct. 11 in its MS05-047 bulletin.

The software giant said attackers could exploit the flaw, which takes advantage of the Windows elements that support hardware hot-swapping, to remotely launch malicious code or gain elevated user privileges. Windows 2000 SP4, XP SP1 and XP SP2 are affected.

But F-Secure researchers determined the bot targets an earlier Plug and Play flaw Microsoft patched Aug. 9 in MS05-039. That flaw has already been attacked by a number of Trojan horses, bots and worms, most notably Zotob.

"After further analysis, it turned out the actual vulnerability [Mocbot targets] is not MS05-047 but the old MS05-039," F-Secure said in its daily lab blog. "The confusion was caused by the exploit code used by Mocbot, which resembles publicly available exploit code for MS05-047. Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms."

For more information

Get expert advice on beating back the bots.

Check out our Topics page on Trojans, backdoors and bots.

Mikko Hypponen, F-Secure's director of AV research, said in an e-mail exchange that it looked as though Mocbot's creators were trying to build a large botnet. But the command servers seemed to be down and "it's going nowhere at the moment," he said. He added that the activity is coming from Russia.

Mocbot details
F-Secure said that when Mocbot's file is started, it copies itself to the Windows system folder as "wudpcom.exe" then creates a service with the following attributes:

Service path: wudpcom.exe

Service name: Windows UDP Communication

F-Secure said when the bot is active, it connects to an IRC server, joins a certain channel and acts as a bot there. It uses the following IRC servers: and "The bot [then] joins to a password-protected IRC channel where the hacker can send commands to the bots to control infected computers," F-Secure said.

Mocbot impact?

Though it's proven to be a dud thus far, its appearance raises two questions:

  • Could Mocbot's creators adjust their tactics and come up with a way to target the newer Plug and Play flaw?
  • Could the bot go after the original Plug and Play flaw with the same fury as Zotob?

To both questions, Hypponen's answer was maybe, but not likely.

Using Mocbot to fashion an attack on the new flaw could be done, he said, "but it wouldn't be that simple. There is public exploit code against MS05-047, but this code could not be used directly to create a worm." And, he added, "As there's no suitable exploit floating around, we don't expect to see a worm using the [newer] vulnerability just yet."

Dig Deeper on Productivity apps and messaging security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.