Mocbot update targets MS06-040 flaw

Attackers have launched malware against the Windows flaw Microsoft addressed in its MS06-040 patch. Security experts have sent out warnings urging enterprises and consumers alike to speed up their patching schedules in response.

A Microsoft spokesman said in an email that the company had activated its emergency response process following reports of the malware, which attackers are reportedly using to expand their IRC-controlled botnets. Symantec is calling the malware W32.Wargbot, while Tokyo-based Trend Micro is calling it WORM.IRCbot-JK and McAfee has labeled it IRC-Mocbot!MS06-040.

For more information: Microsoft's August update patches 23 flaws Surveillance exposes malware that comes back from the dead

"At this time the attack does not appear to be self replicating and only impacts computers running Windows 2000 who have not applied the MS06-040 security update," the Microsoft spokesman said, adding that the company considers the malware a low-level threat because it is not aware of any widespread customer impact. Nevertheless, he said, "The Microsoft Security Response Center remains on high alert and continues to recommend that customers apply the August security updates."

While Microsoft considers this a low-level threat, other security experts urged IT professionals to take the latest malware seriously.

"Automated botnet malware has been using [the MS06-040 flaw] to infect machines and then scan for new machines to infect," Marc Maiffret, chief hacking officer of eEye Digital Security, warned in a message on the patch management forum hosted by Shavlik Technologies. "If you have not installed the patch for MS06-040, then you're at risk and need to get a move on."

Maiffret said that when the malware infects a machine, it downloads a botnet program that then connects to IRC chat servers in China and elsewhere, allowing attackers to control the machine to do "whatever they want," including the ability to flood other systems with a distributed denial-of-service (DDoS) attack.

Security management firm LURHQ has posted an analysis of the malware. The company said there were a couple variants circulating, and that the code itself is not new. Rather, it is a modified version of the Mocbot-A malware that has been changed to go after machines vulnerable to the Windows Server Service flaw outlined in MS06-040.

"Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread," LURHQ said. "Since it is a fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary antivirus write-ups and signatures."

Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040, LURHQ said. "Primarily, Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems."

The SANS Internet Storm Centre (ISC) said on its Web site that it has received samples and infection reports from several sources and it appeared there are two different binaries involved.

The ISC also noted that such antivirus suppliers as Trend Micro, McAfee and F-Secure have started to offer protection against the malware.

Security experts have warned of the potential of a worm attack since MS06-040 was released, describing the flaw as easily exploitable. Even the U.S. Department of Homeland Security, which rarely joins the post-Patch Tuesday stampede of warnings, sent out a public advisory urging Windows users to install the MS06-040 patch as soon as possible.

Within hours of the patch release, H.D. Moore, co-creator of the Metasploit Framework, and other researchers started making exploit code available.