News Stay informed about the latest enterprise technology news and product updates.

Attacks against MS06-040 on the rise

Six pieces of malware are now going after the Windows Server Service flaw outlined in MS06-040, and a spike in attacks has led Symantec to raise its ThreatCon to Level 2.

Security experts are warning IT administrators to restrict access to TCP port 139 and update antivirus programs daily, as attacks against the MS06-040 flaw increase.

Thursday, Cupertino, Calif.-based antivirus giant Symantec Corp. raised its ThreatCon to Level 2 -- signaling an increased risk of attacks -- after observing an increase in malicious activity over that port.

Symantec said its honeypots have observed ongoing and frequent attacks against the Windows Server Service remote buffer overflow flaw via TCP port 139, and that six known bots are now exploiting the vulnerability.

"The potential impact of these threats is exaggerated due to reports of successful compromise of Windows NT systems, for which there is no patch available, by at least one of the six bots targeting the vulnerability," Symantec said. "The exploits for at least some of these bots also function against Windows 2000 and XP targets."

Symantec's DeepSight Threat Management Service recommended network administrators restrict access to TCP port 139 and 445 at the network perimeter and make sure antivirus definitions are up to date.

More on MS06-040

Botnets spike in wake of Windows flaw

Fear and loathing in MS06-040's wake

August patch management woes strike again

Mocbot update targets MS06-040 flaw

Microsoft's fixes 23 flaws, DHS urges action
The Bethesda, Md.-based SANS Internet Storm Center (ISC) said on its Web site that it has received "all kinds of emails about the recent increase in scanning on port 139."

Much of the ISC's analysis focused on the Randex worm, which started targeting MS06-040 last week.

Botnet masters have also targeted MS06-040 using Mocbot. Last week, Alpharetta, Ga.-based messaging security vendor CipherTrust Inc. said it had observed a 23% spike in botnets during that week, partly because of Mocbot infections.

But so far the Blaster-sized superworm some experts have warned of since Microsoft released MS06-040 Aug. 8 has failed to materialize.

The ISC said IT shops can mitigate the risk associated with the MS06-040 flaw by updating antivirus programs at least daily, deploying patches quickly and blocking ports 139 and 445 at the router/firewall.

"Since cleaning botnets is pretty much impossible, prevention is the key," ISC handler Joel Esler wrote on the Web site. "If you do get hit with a botnet infection running throughout your network, my general recommendation is [to] rebuild the box."

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.