Network News

X My Profile
View More Activity

A Windows Worm Mockup?

Update, Oct. 24, 9:30 a.m., ET: F-Secure and McAfee now are saying this "Mocbot" thing is in fact exploiting the same flaw that the Zotob worm went after, not the latest Microsoft flaw. Not quite sure how these two companies made the same mistake in their analysis, but none of this changes the fact that the possibility of a worm exploiting these new holes remains high.

My original post from earlier today:

On Friday, security researchers released computer programming instructions demonstrating how attackers might exploit a security hole for which Microsoft released a patch less than two weeks ago.

Then on Saturday, evidence emerged that attackers were using the exploit code in a new Trojan horse program designed to turn infected machines into "bots" -- remote controlled machines used mainly to relay spam or attack Web sites. Among the first to detect the new bugger was the Norman Sandbox, a scanning tool that computer forensics experts often use to identify both new and known computer viruses. Anti-virus companies F-Secure and McAfee (and others I'm sure by now) label the new threat as "Mocbot."

Bot programs like Mocbot can be used to scan the Internet for other vulnerable computers, but as a rule they generally don't spread on their own.  Still, may be just a matter of time before we see this exploit folded into a self-spreading computer worm. If we do, the results may be similar to what we saw with the Zotob worm, which affected mainly Windows 2000 computers and caused disruptive but isolated outbreaks at large corporations around the world.

If you aren't up to speed on Windows patches yet, visit Microsoft Update ASAP -- there also are exploits circulating on the Internet for three other vulnerabilities that Microsoft detailed earlier this month.

By Brian Krebs  |  October 24, 2005; 9:33 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: The Seattle Shuffle
Next: Mobile Phone Viruses Slow to Cross the Pond

Comments

Although a worm may be created around MS05-047 or an existing bot may include the exploit in its spreading arsenal, I doubt you'll see the same impact as Zotob. According to MS, W2K systems patched for MS05-039 no longer allow anonymous access to the affected code. Even though there is still a remotely exploitable overflow, you now need user credentials to pull it off assuming the MS05-039 patch is applied (which many people did in the wake of Zotob). So Zotob has pretty much ruined it for any MS05-047 worms. The only people immediately affected are those residual never-patchers who are infected with Zotob and whatever else is out there using MS05-039.

Posted by: Joe Stewart | October 24, 2005 12:57 PM | Report abuse

Mr. Krebs: You gave instructions to hackers on how to use the Sony anti-piracy software to illegally hack computers.

The Post should fire you, and if you needlessly publish technique-specific information like that again, I will personally start a drive to terminate you.

Posted by: J.D.S | November 1, 2005 8:20 PM | Report abuse

J.D.S., your threat is meaningless and unwarranted. If you are able to carefully read Kreb's entry, you will see that FRSIRT published the instructions. In any event, malicious programmers would have found that code anyway without the help of FRSIRT or the Washington Post.

Posted by: Ken L | November 7, 2005 2:10 AM | Report abuse

JDS - Thanks for reading, and for sharing your thoughts. I have to ask, however...what the heck are you talking about? Did you even read that article? What technique-specific information are you referring to? And why are you posting a comment about the Sony story in this blog post?

You should take more care before making blatant threats in a public forum against people you don't even know and on subjects about which you quite obviously aren't very well read.

Posted by: Brian Krebs | November 7, 2005 5:03 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company