Server Service exploit installs IRC bot

It never seems to fail. A few days after Microsoft Patch Day, some hacker or security researcher releases exploit code targeting the worst of the vulnerabilities from that month. This disturbing trend seems to have become just as regular as Patch Day itself, as August proves.

Less than 48 hours after Patch Day, two security research organizations, Immunity Security and the MetaSploit Project, released Proof-of-Concept (PoC) code to exploit Microsoft's latest Server Service vulnerability (MS06-040).

The release of this exploit code prompted a few security organizations, including the Department of Homeland Security (DHS) and nCircle, to issue critical warnings [ 1 / 2 ] cautioning of a potential worm outbreak based on this vulnerability. When I first read these warnings, I felt they were too shrill. Sure, the Server Service vulnerability arguably seems the most risky of this month's flaws. After all, it affects all versions of Windows and resides in a service Windows typically installs and runs by default. However, a worm exploiting this flaw would have to connect to your computer on TCP port 135 or 445 (essentially the Windows network sharing ports) in order to infect you. No administrator in his right mind allows access to these ports from the Internet. For that reason, I doubted a worm exploiting this flaw would spread widely.

As it turns out, we were both kind of right.

Just as DHS and nCircle predicted, a new worm did come out over the weekend that exploits Microsoft's Server Service vulnerability. If it infects you, IRC-Mocbot!MS06-04 (also known as Wargbot or Cuebot-L) adds your computer to an IRC botnet, installs a backdoor, and continues to spread from your computer. However, just as I guessed, this worm hasn't spread widely... at least not yet.

After getting bitten by similar worms, such as MSBlaster, I suspect even home users have smartened up and started blocking the Windows network sharing ports, thus helping to restrict the spread of this new worm. Nonetheless, you should still worry a little about Mocbot and its brethren. While I'm optimistic that this worm won't get past most administrator's perimeter, it will quickly eat your network alive if it does. To protect yourself, apply Microsoft's patch and keep your AV signatures up to date. As always, keep an eye on your network's back doors (e.g. roving laptops and the like) to make sure that Mocbot doesn't weasle its way in through a crack. --

Corey Nachreiner , CISSP

CopyrightŠ 2006 WatchGuardŽ Technologies, Inc.

Linked by shanmuga Friday, 18th August 2006 12:35AM