Botnet Herders Target Windows

The first wave of malicious attacks against the MS06-040 vulnerability began Aug. 12, with attackers using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets.

The attacks use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote Internet Relay Chat server and listens for commands from a remote hacker, according to early warnings from anti-virus vendors.

The Microsoft Security Response Center said the attack appears to be specifically targeting unpatched Windows 2000 machines.

"Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed, you are not affected," said MSRC Program Manager Stephen Toulouse in Redmond, Wash. "While all that could change based on the actions of the criminals, its important to scope the situation and take the opportunity to stress that everyone should apply this update."

The MSRC is using its blog to communicate guidance in early stages of the attack.

According to the Chicago-based Lurhq Threat Intelligence Group, the attackers are using a variant of the Mocbot Trojan that was used in the Zotob worm attack in August 2005.

"Amazingly, this new variant of Mocbot still uses the same IRC server host names as a command-and-control mechanism after all these months. This may be partially due to the low profile it has held but also may be due to the fact that the host names and IP addresses associated with the command-and-control servers are almost all located in China," Lurhq said in an advisory.

Historically, Chinese ISPs and government entities have been less than cooperative in taking action against malware hosted and controlled from within their networks, Lurhq said.