Security experts are warily watching exploit code targeting flaws that Microsoft patched this month. But a new bot on the scene shows the bad guys haven't given up on an older attack vector they successfully plowed through two months ago with worms like Zotob.
The software giant said attackers could exploit the flaw, which takes advantage of the Windows elements that support hardware hot-swapping, to remotely launch malicious code or gain elevated user privileges. Windows 2000 SP4, XP SP1 and XP SP2 are affected.
But F-Secure researchers determined the bot targets an earlier Plug and Play flaw Microsoft patched Aug. 9 in MS05-039. That flaw has already been attacked by a number of Trojan horses, bots and worms, most notably Zotob.
"After further analysis, it turned out the actual vulnerability [Mocbot targets] is not MS05-047 but the old MS05-039," F-Secure said in its daily lab blog. "The confusion was caused by the exploit code used by Mocbot, which resembles publicly available exploit code for MS05-047. Also, we received reports that the bot channel may instruct all joining bots to start automatically scanning for vulnerable computers, thus acting as automatic worms."
F-Secure said that when Mocbot's file is started, it copies itself to the Windows system folder as "wudpcom.exe" then creates a service with the following attributes:
Service path: wudpcom.exe
Service name: Windows UDP Communication
F-Secure said when the bot is active, it connects to an IRC server, joins a certain channel and acts as a bot there. It uses the following IRC servers: bbjj.househot.com and ypgw.wallloan.com. "The bot [then] joins to a password-protected IRC channel where the hacker can send commands to the bots to control infected computers," F-Secure said.
Though it's proven to be a dud thus far, its appearance raises two questions:
- Could Mocbot's creators adjust their tactics and come up with a way to target the newer Plug and Play flaw?
- Could the bot go after the original Plug and Play flaw with the same fury as Zotob?
To both questions, Hypponen's answer was maybe, but not likely.
Using Mocbot to fashion an attack on the new flaw could be done, he said, "but it wouldn't be that simple. There is public exploit code against MS05-047, but this code could not be used directly to create a worm." And, he added, "As there's no suitable exploit floating around, we don't expect to see a worm using the [newer] vulnerability just yet."