Spammers Jump on Latest MS Hole

By Paul F. Roberts

Security companies were gearing up for war last week, after Microsoft released its August 'Patch Tuesday' security fixes. And for all the hyperbole around one of those patches, MS06-040, it's a wonder we aren't all hunkered down, Terminator style, warming ourselves by the glowing embers of now-useless computers and trying to figure out how to keep the cyborgs at bay.

Alas, dire predictions of massive worm outbreaks from security vendors, and a stern warning from the U.S. Department of Homeland Security, proved a bit overblown.

The security hole in question was rated 'critical' by Microsoft and is in Windows' Server Service, a Windows component that provides support for RPC and allows Windows users to share resources such as disks and printers on a network. That makes it remarkably similar to the hole the Blaster worm took advantage of and may explain the strong warnings for companies to patch the hole, said Vincent Weafer, senior director at Symantec Security Response.

"I think when you look at the nature of the vulnerability, it caused people to be concerned. You can do remote connections [to vulnerable computers] and not validate those connections, then get remote access," Weafer said.

Some of those fears were confirmed when reports surfaced, just days after the Aug. 8 patch release, that computers infected with malicious IRC 'bot' programs were scanning the Internet for Windows systems that had the MS06-040 vulnerability and then using publicly available code to exploit that hole and add vulnerable systems to bot networks that are used to carry out denial-of-service attacks and distribute spam.

The managed security service provider LURHQ analyzed one of those bot programs, irc.mocbot, and found that it was being used to enlist vulnerable computers for spam campaigns, with command and control coming from servers in China, according to Joe Stewart, senior security researcher at LURHQ.

Despite the dire warnings, however, reports of infections from mocbot or other malicious code targeting MS06-040 are few and far between, and there's no indication that a Blaster-style worm is in the offing, experts said.

Part of the reason is improved security. Companies that have upgraded to Windows XP SP2 or are using a third-party desktop firewall won't be prey to the scanning IRC bots. Windows 2000 systems, which are particularly vulnerable to exploitation through MS06-040, are harder to find in enterprises, Stewart said.

The bigger picture is that worms such as Blaster are oh-so 2003.

"The big pandemic worm is not out there because nobody's motivated to do it," Weafer said. "Spammers want to be low-key and low-intensity."

Copyright 2006 Yahoo! Inc.

Reply to
Paul F. Roberts
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.