Attackers this weekend launched malware against the Windows flaw Microsoft addressed last week in its MS06-040 patch. Security experts sent out warnings Sunday urging enterprises and consumers alike to speed up their patching schedules in response.
A Microsoft spokesman said in an email Sunday that the software giant activated its emergency response process following reports of the malware, which attackers are reportedly using to expand their IRC-controlled botnets. Cupertino, Calif.-based Symantec Corp. is calling the malware W32.Wargbot, while Tokyo-based Trend Micro is calling it WORM.IRCbot-JK and Santa Clara, Calif.-based McAfee Inc. has labeled it IRC-Mocbot!MS06-040.
"At this time the attack does not appear to be self replicating and only impacts computers running Windows 2000 who have not applied the MS06-040 security update," the Microsoft spokesman said, adding that the company considers the malware a low-level threat because it is not aware of any widespread customer impact. Nevertheless, he said, "The Microsoft Security Response Center remains on high alert and continues to recommend that customers apply the August security updates."
While Microsoft considers this a low-level threat, other security experts urged IT professionals to take the latest malware seriously.
"Automated botnet malware has been using [the MS06-040 flaw] to infect machines and then scan for new machines to infect," Marc Maiffret, chief hacking officer of Aliso Viejo, Calif.-based eEye Digital Security Inc., warned in a message on the patch management forum hosted by Roseville, Minn.-based Shavlik Technologies LLC. "If you have not installed the patch for MS06-040, then you're at risk and need to get a move on."
Maiffret said that when the malware infects a machine, it downloads a botnet program that then connects to IRC chat servers in China and elsewhere, allowing attackers to control the machine to do "whatever they want," including the ability to flood other systems with a distributed denial-of-service (DDoS) attack.
Chicago-based security management firm LURHQ Corp. has posted an analysis of the malware. The company said there were a couple variants circulating Sunday, and that the code itself is not new. Rather, it is a modified version of the Mocbot-A malware that has been changed to go after machines vulnerable to the Windows Server Service flaw outlined in MS06-040.
"Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread," LURHQ said. "Since it is a fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary antivirus write-ups and signatures."
Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040, LURHQ said. "Primarily, Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems."
The Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that it has received samples and infection reports from several sources and it appeared there are two different binaries involved.
The ISC also noted that such antivirus vendors as Trend Micro, McAfee and Helsinki, Finland-based F-Secure Corp. have started to offer protection against the malware.
Security experts have warned of the potential of a worm attack since MS06-040 was released Tuesday, describing the flaw as easily exploitable. Even the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, sent out a public advisory urging Windows users to install the MS06-040 patch as soon as possible.
Within hours of the patch release, H.D. Moore, co-creator of the Metasploit Framework, and other researchers started making exploit code available.