News Stay informed about the latest enterprise technology news and product updates.

Botnets spike in wake of Windows flaw

Mocbot has hijacked 265,000 machines a day by exploiting the MS06-040 flaw. Meanwhile, a modified Randex worm has set its sights on the flaw.

A security firm says the number of machines hijacked by a bot exploiting the MS06-040 flaw has spiked 23% in the past week. Meanwhile, the Randex worm has been modified to target the vulnerability.

Ed Rowley, technical consultant for Alpharetta, Ga.-based messaging security vendor CipherTrust Inc., said Tuesday that the lab has observed the appearance of 265,000 new zombie PCs a day since variants of Mocbot started going after the Windows Server Service flaw.

"Mail volumes have once again reached a high this week, with spam making up 81% of the traffic," Rowley said in a statement. "Much of this increase can be attributed to the spam originating from the new zombies unleashed by the Mocbot worm."

Mocbot first started targeting machines vulnerable to the Windows Server Service flaw about four days after Microsoft released the MS06-040 patch. Security experts have warned that the flaw is easily exploitable and could be targeted by a superworm on the scale of Blaster.

A superworm has yet to appear, but Cupertino, Calif.-based antivirus giant Symantec Corp. warned Tuesday that the Randex worm has been modified to target the flaw.

According to Symantec's analysis, W32.Randex.GEL is a network-aware worm that opens a back door on compromised machines and programs them to listen for additional commands over an Internet Rely Chat (IRC) channel. This could allow attackers to:

  • Download and execute files
  • List, stop, and start processes and threads;
  • Launch a denial-of-service attack;
  • Open a command shell on the compromised computer;
  • Create a proxy server; and
  • Log keystrokes.

    As nasty as the worm may sound, Symantec considers it a low-level threat at this time. In fact, the company lowered its ThreatCon to Level 1 Tuesday. It had been set at Level 2 for more than a month due to the MS06-040 flaw and exploits against Microsoft PowerPoint and Excel.

  • Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.