News Analysis

Attacks against MS06-040 on the rise

Bill Brenner, Senior News Writer
Security experts are warning IT administrators to restrict access to TCP port 139 and update antivirus programs daily, as attacks against the MS06-040 flaw increase.

Thursday, antivirus giant Symantec raised its ThreatCon to Level 2 -- signalling an increased risk of attacks -- after observing an increase in malicious activity over that port.

Symantec said its honeypots have observed ongoing and frequent attacks against the Windows Server Service remote buffer overflow flaw via TCP port 139, and that six known bots are now exploiting the vulnerability.

"The potential impact of these threats is exaggerated due to reports of successful compromise of Windows NT systems, for which there is no patch available, by at least one of the six bots targeting the vulnerability," Symantec said. "The exploits for at least some of these bots also function against Windows 2000 and XP targets."

Symantec's DeepSight Threat Management Service recommended network administrators restrict access to TCP port 139 and 445 at the network perimeter and make sure antivirus definitions are up to date.

More on MS06-040

Botnets spike in wake of Windows flaw

Fear and loathing in MS06-040's wake

August patch management woes strike again

Mocbot update targets MS06-040 flaw

Microsoft's fixes 23 flaws, DHS urges action
The SANS Internet Storm Center (ISC) said on its Web site that it has received "all kinds of emails about the recent increase in scanning on port 139."

Much of the ISC's analysis focused on the Randex worm, which started targeting MS06-040 last week.

Botnet masters have also targeted MS06-040 using Mocbot. Last week, messaging security vendor CipherTrust said it had observed a 23% spike in botnets during that week, partly because of Mocbot infections.

But so far the Blaster-sized superworm some experts have warned of since Microsoft released MS06-040 Aug. 8 has failed to materialise.

The ISC said IT shops can mitigate the risk associated with the MS06-040 flaw by updating antivirus programs at least daily, deploying patches quickly and blocking ports 139 and 445 at the router/firewall.

"Since cleaning botnets is pretty much impossible, prevention is the key," ISC handler Joel Esler wrote on the Web site. "If you do get hit with a botnet infection running throughout your network, my general recommendation is [to] rebuild the box."


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy