MS06-040 Botnet Attack Reloaded

Botnet herders have reloaded and launched a new round of worm attacks against Windows users, exploiting multiple product flaws to hijack unpatched computers.

In addition to the MS06-040 Windows Server Service flaw, attackers have added exploits for three other Windows worm holes as part of the latest wave of attacks, according to anti-virus experts tracking the threat.

Like the original Mocbot attack that first surfaced in August, the latest barrage is programmed to turn infected machines into zombies for use in spam-related botnets.

According to a warning from Symantec, the attack is linked to W32.Randex.GEL, a network-aware worm with back door capabilities that exploits the MS06-040 vulnerability. Once it gets on the machine, the worm spreads to other computers by exploiting critical flaws patched by Microsoft in 2004 and 2005.

The biggest targets, according to incident handlers at the SANS ISC (Internet Storm Center), are out-of-support Windows NT4 machines that are sitting ducks for attacks because they remain without important software patches.

Read more here about the motive behind the Mocbot attack.

Symantec said the network worm is capable of squirming through unpatched Windows NT, Windows 2000, Windows 95, Windows 98, Windows Me and Windows XP machines.

Once executed on an unpatched box, Symantec said the malware opens a back door on the compromised computer and attempts to connect to a hard-coded list of IRC (Internet Relay Chat) servers.

Once connected to an IRC server, the infected machine then listens for commands, effectively allowing a remote attacker to download and execute additional malware files, control processes and threats, launch denial-of-service attacks, and launch spam runs of log keystrokes.

Symantec also warned that the worm is capable of spreading to other computers by sending URL links through MSN Messenger, Yahoo Messenger, AOL Instant Messenger and ICQ.

It also copies itself to network shares and Microsoft SQL servers, using a list of hard-coded usernames and passwords.

According to a malware description from McAfee, the bot has also been fitted with the ability to steal log-in credentials and pin information from online banking Web sites, eBay, PayPal, Western Union and WorldPay.

It can also be used to disable security software, including anti-virus and anti-spyware applications.

A spokesman for Microsoft said the company is “watching diligently” for any increase in malicious activity since the release of the MS06-040 bulletin. “While we are aware of new attempts to exploit this vulnerability, we are not seeing an increase over the already existing limited attacks attempting to exploit that vulnerability,” he said.

Check out eWEEK.com’s for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer’s Weblog.