Spammers Exploiting Newly Detailed Windows Flaw
Organized criminals already are taking advantage of a newly detailed security hole to hijack computers running Windows software and turn them into relays that spammers can use to send junk e-mail anonymously.
In an unusual move, the Department of Homeland Security last week joined Microsoft Corp. in urging businesses and consumers to quickly apply updates that Microsoft released Tuesday to fix nearly two dozen security problems with its various software. The flaw DHS and Microsoft were most concerned about -- a flaw in the "Windows server" built into every supported version of Windows -- is now being exploited by online crime groups, according to several different reports.
The SANS Internet Storm Center says attackers appear to be scanning the Internet for vulnerable machines unguarded by either the patch to remedy this flaw or a firewall to block unwanted traffic. The exploit appears to work mainly against unpatched Windows 2000 computers. Once infected, a W2K machine will connect back to the attacker's control channel and await further instructions, which could be to spread itself via AOL Instant Messenger, scan for other vulnerable targets, or join other infected computers , or "bots," in an attack on a targeted Web site.
According to analysis by Joe Stewart, senior security researcher with Chicago-based Internet security company LURHQ, the 'bot code is a variant of "Mocbot," which first surfaced last fall and targeted a similar flaw in Windows 2000 machines. This time, the attackers are uploading code to make infected machines very handy for relaying junk e-mail for spammers.
"It's almost certain that this attack is entirely spam-related," Stewart said.
Attacks that exploit this Windows flaw are likely to become a problem for a number of businesses in the coming week. Companies generally take at least a week -- often several weeks -- to test and deploy Microsoft on their networks, leaving them vulnerable to exploits that can sneak through perimeter defenses via infected laptops that employees plug into the internal network or from malicious links and/or attachments that arrive via instant message or e-mail.
In a security advisory on the 'bot code published at just after 2 p.m. ET today, Microsoft said it is "not aware of widespread customer impact" and that it has rated Win32/Graweg (the label the company assigned to this code) as a "low threat."
"At this time it does not appear to be a self replicating internet-wide worm," the company said. Low or not, Windows users are urged to download the patches ASAP.
Update, 8:06 p.m. ET: It may be that Microsoft in its advisory is talking about a different threat than SANS and LURHQ are highlighting. For one thing, Microsoft calls this threat "Win32/Graweg," but I could find no links in Google to any writeup on that either at Microsoft or another third-party anti-virus company. Secondly, I asked LURHQ's Stewart to re-scan the malware he wrote about in his report, and below is the report returned by the free anti-virus scanning service at VirusTotal. You'll notice that as of 4:39 p.m. ET Microsoft's own anti-virus service had not detected as malicious the threat that Stewart and SANS were pointing out. Also, next to the name of each anti-virus service is the date of their last update, followed by the results of the scan. The last update to Microsoft's one-care anti-virus service as of Sunday was Aug. 4.
AntiVir 126.96.36.199 08.13.2006 HEUR/Crypted.Layered Authentium 4.93.8 08.13.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus Avast 4.7.844.0 08.10.2006 no virus found AVG 386 08.11.2006 no virus found BitDefender 7.2 08.13.2006 Backdoor.IRCBot.ST CAT-QuickHeal 8.00 08.13.2006 Wargbot.b ClamAV devel-20060426 08.13.2006 Trojan.IRCBot-689 DrWeb 4.33 08.13.2006 Win32.HLLW.Nert eTrust-InoculateIT 23.72.95 08.13.2006 no virus found eTrust-Vet 30.3.3016 08.13.2006 Win32/Cuebot.J Ewido 4.0 08.13.2006 no virus found Fortinet 188.8.131.52 08.12.2006 no virus found F-Prot 3.16f 08.13.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus F-Prot4 184.108.40.206 08.13.2006 W32/Threat-HLLIM-based!Maximus Ikarus n - no virus found Kaspersky 220.127.116.11 08.13.2006 Backdoor.Win32.IRCBot.st McAfee 4828 08.13.2006 IRC-Mocbot!MS06-040 Microsoft 1.1508 08.04.2006 no virus found NOD32v2 1.1704 08.11.2006 a variant of Win32/IRCBot.OO Norman 5.90.23 08.11.2006 W32/Suspicious_M.gen Panda 18.104.22.168 08.13.2006 Suspicious file Sophos 4.08.0 08.13.2006 no virus found Symantec 8.0 08.13.2006 no virus found TheHacker 22.214.171.124 08.13.2006 no virus found UNA 1.83 08.11.2006 no virus found VBA32 3.11.0 08.13.2006 no virus found VirusBuster 4.3.7:9 08.13.2006 Backdoor.IRCBot.AAH
August 13, 2006; 5:27 PM ET
Categories: Latest Warnings
Save & Share: Previous: Defcon 14 Wrapup, at Long Last
Next: The Black Hat Wireless Exploit Interview, Verbatim
Posted by: David Taylor | August 14, 2006 6:20 AM | Report abuse
Posted by: John Johnson | August 14, 2006 9:57 AM | Report abuse
Posted by: Catawba | August 14, 2006 2:11 PM | Report abuse
Posted by: Jeff | August 14, 2006 2:31 PM | Report abuse
Posted by: Norman | August 14, 2006 3:48 PM | Report abuse
Posted by: PJ | August 15, 2006 9:27 AM | Report abuse
Posted by: JPY | August 15, 2006 2:19 PM | Report abuse
Posted by: W. Palmborg | August 24, 2006 12:54 PM | Report abuse
The comments to this entry are closed.