Wednesday, August 16, 2006

MS06-040 Attack Vector Being Used as Part of BotNet Attack

eEye Digital Security is alerting the network security community to the presence of multiple attacks circulating which leverage the attack vector recently patched as part of the MS04-060 (http://www.microsoft.com/technet/security/bulletin/MS06-040.mspx) security bulletin.

Attack Summary

Once infected, an IRC BOT is installed which allows the system to be used for Distributed Denial of Service (DDOS) attacks against other machines. In addition, the malware allows its controller (an outside user) to execute programs, update the BOT software, and exploit other machines. The malware will also attempt to disable Windows firewall and the Windows XP SP2 security alert that triggers when the systems antivirus software is disabled.

The malware in question is leveraging the Server Service flaw that was patched last Tuesday in the Microsoft bulletin MS06-040. MS06-040 fixes a flaw in an unchecked buffer in the Server Service which allows for anonymous exploitation remotely. At the time of the bulletins release, US-CERT and Microsoft had claimed to have seen existing attacks on this flaw, but no evidence had been offered.

At this time there are currently two separate variants of this malware, both using a variant of publicly-disclosed exploit code for MS06-040. While both samples appear to be very similar, they each use a different executable when infecting the system. The first variant uses the file name "wgareg.exe" and the second uses "wgavm.exe". Antivirus vendors have named this threat W32.Wargbot (Symantec), Worm.IRCBOT.JK/JL (Trend Micro), IRC.Mocbot (McAfee), and IRCBOT-ST (F-Secure).


Protection

Users should apply the Microsoft patch to vulnerable systems as soon as possible. eEye recommends using a vulnerability assessment product like eEye's Retina to identify vulnerable systems immediately. As a service to the network security community, eEye has also made available a free utility, which can scan up to 256 systems at once to check for the presence of the flaw patched by MS06-040.


Read More

Source: eEye's Email Alert


Posted by DaCold Crew at 8:35 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)