Botnet Herders Attack Windows 2000 Worm Hole

The first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets.

The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker, according to early warnings from anti-virus vendors.

The MSRC (Microsoft Security Response Center) described the attack as "extremely targeted" and said it appears to be specifically targeting unpatched Windows 2000 machines.

"[This is] very much unlike what we have seen in the past with recent Internet-wide worms," said MSRC program manager Stephen Toulouse. "In fact, our initial investigation reveals this isn't a worm in the "auto-spreading" classic sense," he added.

"Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed, you are not affected. While all that could change based on the actions of the criminals, it's important to scope the situation and take the opportunity to stress that everyone should apply this update," Toulouse said.

The MSRC is using its blog to communicate guidance in the early stages of the attack.

According to the LURHQ Threat Intelligence Group, the attackers are using a variant of the Mocbot trojan that was used in the Zotob worm attack in August 2005.

"Amazingly, this new variant of Mocbot still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and IP addresses associated with the command-and-control servers are almost all located in China," LURHQ said in an advisory.

Read the rest of this eWEEK story: "Botnet Herders Attack MS06-040 Worm Hole"

From:
http://www.pcmag.com/article2/0,1895,2003069,00.asp

Worm feasts on latest Windows vulnerability

Ooh Betty, it's happening again


Virus writers have adapted an existing family of worms to exploit a recently patched, high-profile Windows security vulnerability.

Corporate admins are being are urged to redouble their efforts to roll out security patches as quickly as possible.

The Cuebot-L and Cuebot-M worms spread via AOL instant messenger, exploiting the MS06-040 vulnerability in Windows Server Service.

If successful, the latest variants of the worm turn off security controls in the Windows firewall and open a backdoor onto compromised machines, allowing hackers to remotely control machines, which thereafter become zombie clients in botnet networks.

Previous versions of the worm caused two earlier Windows vulnerabilities to spread, as explained in an advisory by CA here.

Microsoft last week released a "critical" patch for the Windows server flaw exploited by Cuebot-L and Cuebot-M. Security experts were quick to see its potential for exploitation, now realised with the Cuebot-L and Cuebot-M worms.

The Department of Homeland Security took the unusual step of warning of the seriousness of the flaw shortly after Redmond's release of the corresponding software fix

From:
http://www.theregister.co.uk/2006/08...rgets_ms_vuln/

With Exploits Out, MS Braces for Worm Attack


A network worm attack exploiting a critical Microsoft Windows vulnerability appears inevitable, security experts warned Aug. 10.


Just days after the Redmond, Wash., software maker issued the MS06-040 bulletin with patches for a "critical" Server Service flaw, Microsoft's security response unit is bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.

Even before the release of Microsoft's patch, the US-CERT (Computer Emergency Readiness Team) warned that the flaw was being used in targeted attacks and that the appearance of public exploits is a sure sign that a worm attack is imminent.

An exploit module was added to the HD Moore's Metasploit Framework that could launch attacks against all unpatched Windows 2000 systems and some versions of Windows XP.

Two penetration testing companies, Immunity and Core Security Technologies, have already created and released "reliable exploits" for the flaw, which was deemed wormable on all Windows versions, including Windows XP SP2 and Windows Server 2003 SP1.


Homeland Security tells Windows users to apply MS06-040 patch. Click here to read more.
Dave Aitel, a researcher at Immunity, said his exploits are capable of launching attacks against firewall-protected Windows XP SP2. "A worm is coming. This bug is just too easy to exploit," Aitel said in an interview with eWEEK.

Aitel's company was able to reverse-engineer Microsoft's patch and create a working exploit in less than 24 hours.

Gartner Research security analyst John Pescatore said businesses should prepare for the worst.

Read the rest of this eWEEK story: "With Exploits Out, MS Braces for Worm Attack"

From:
http://www.pcmag.com/article2/0,1895,2002364,00.asp