[ISN] Botnet Herders Attack MS06-040 Worm Hole

From: InfoSec News (alerts@private)
Date: Mon Aug 14 2006 - 00:17:28 PDT


http://www.eweek.com/article2/0,1895,2002966,00.asp

By Ryan Naraine
August 13, 2006

The first wave of malicious attacks against the MS06-040 vulnerability
is underway, using malware that hijacks unpatched Windows machines for
use in IRC-controlled botnets.

The attacks, which started late Aug. 12, use a variant of a backdoor
Trojan that installs itself on a system, modifies security settings,
connects to a remote IRC (Internet Relay Chat) server and starts
listening for commands from a remote hacker, according to early
warnings from anti-virus vendors.

The MSRC (Microsoft Security Response Center) described the attack as
"extremely targeted" and said it appears to be specifically targeting
unpatched Windows 2000 machines.

"[This is] very much unlike what we have seen in the past with recent
Internet-wide worms," said MSRC program manager Stephen Toulouse. "In
fact, our initial investigation reveals this isn't a worm in the
"auto-spreading" classic sense," he added.

"Very few customers appear to be impacted, and we want to stress that
if you have the MS06-040 update installed, you are not affected. While
all that could change based on the actions of the criminals, it's
important to scope the situation and take the opportunity to stress
that everyone should apply this update," Toulouse said.

The MSRC is using its blog to communicate guidance in the early stages
of the attack.

According to the LURHQ Threat Intelligence Group, the attackers are
using a variant of the Mocbot trojan that was used in the Zotob worm
attack in August 2005.

"Amazingly, this new variant of Mocbot still uses the same IRC server
hostnames as a command-and-control mechanism after all these months.  
This may be partially due to the low-profile it has held, but also may
be due to the fact that the hostnames and IP addresses associated with
the command-and-control servers are almost all located in China,"  
LURHQ said in an advisory.

Historically, Chinese ISPs and government entities have been less than
cooperative in taking action against malware hosted and controlled
from within their networks, the company said.

On Aug. 13, a second variant of the Trojan was detected, confirming
fears that botnet herders are already playing cat-and-mouse with
anti-virus vendors.

The Trojan copies itself to the system directory as "wgareg.exe," and
creates a service to run at startup called "Windows Genuine Advantage
Registration Service," a sign that the attackers are using Microsoft's
anti-piracy mechanism in a social engineering trick.

It adds a description that attempts to discourage victims from
stopping the malicious service. It reads: "Ensures that your copy of
Microsoft Windows is genuine and registered. Stopping or disabling
this service will result in system instability."

F-Secure, an Internet security vendor in Helsinki, Finland, said the
backdoor generates a random nickname, joins a password-protected IRC
channel and waits for commands from a channel operator.

The backdoor also uses an auto-spreading mechanism. "When a hacker
initiates a scan within a defined range of IP addresses, the backdoor
attempt to connect to the selected IPs and to send the exploit there.  
If a remote computer is vulnerable, it becomes infected with the
backdoor," F-Secure said in an alert.

The IRC servers controlling the bots are hosted at
"bbjj.househot.com:18067" and "ypgw.wallloan.com:18067," F-Secure
said, urging network administrators to monitor connection attempts to
those hosts.

The attacks come less than a week after Microsoft issued the
"critical" MS06-040 bulletin with patches for a "critical" Server
Service flaw. Over the last few days, Microsoft's security response
unit has been bracing for the worst after exploit code that offers a
blueprint for attacks began circulating on the Internet.

The Redmond, Wash., software maker also issued a formal advisory to
confirm the existence of public exploits.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Aug 14 2006 - 00:39:48 PDT