Feeds

Bot spreads using latest Windows flaw

Update warning

The essential guide to IT transformation

Security firms reiterated advice to companies and home users to patch their Windows systems, after a bot program was detected last week that used a recently fixed flaw to compromise computers.

The bot has reportedly not spread very widely, according to advisories posted by Microsoft, Symantec, and security firm LURHQ, which labelled the program Graweg, Wargbot and Mocbot, respectively (Symantec is the parent company of SecurityFocus.)

The bot, and a second variant, appear to use the Windows Server service flaw (MS06-040) to spread to computers that have not yet been patched for the issue. Microsoft fixed the flaw two weeks ago.

"So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," Stephen Toulouse, security program manager for Microsoft, wrote on the company's security response centre blog.

"In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000. Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed you are not affected."

While remotely exploitable flaws in operating-system components that handle network data have historically led to worms, such fast spreading threats have become far more rare in recent years, as virus and worm writers instead use such weaknesses to compromise systems for profit.

The favoured tool has become bot programs - software that infects computers by exploiting vulnerabilities or by using social engineering to convince the user to execute the program and then surreptitiously allows the attacker to control the computer or capture sensitive data from the system.

Security experts and even the US Department of Homeland Security advised companies to patch their system for the Windows Server service flaw, warning that the vulnerability was already being used to exploit systems.

Security firm eEye Digital Security reiterated the warning.

"I hope people are taking this as another big red flag warning to hurry up and patch their systems," Marc Maiffret, chief technology officer for eEye, said in a statement emailed to SecurityFocus.

The Internet Storm Centre, a website that publicly tracks port-scanning attempts and other security incidents, reported that many of its contributors had started noticing a large increase in scans for the Windows Server service flaw.

The two variants of the bot program also appear to spread using America Online instant messaging client to send links from where the program will be downloaded, according to the analysis by LURHQ. The bot, which LURHQ refers to as Mocbot, compromises PCs and then awaits commands from a network of computers, most of which appear to be based in China.

One version of the bot program runs on a compromised system as wgareg.exe and creates a service to run at startup called the Windows Genuine Advantage Registration Service, while the other variant runs as wgavm.exe naming itself the Windows Genuine Advantage Validation Monitor.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?