The first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets.
The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker, according to early warnings from anti-virus vendors.
The MSRC (Microsoft Security Response Center) described the attack as “extremely targeted” and said it appears to be specifically targeting unpatched Windows 2000 machines.
“[This is] very much unlike what we have seen in the past with recent Internet-wide worms,” said MSRC program manager Stephen Toulouse. “In fact, our initial investigation reveals this isnt a worm in the “auto-spreading” classic sense,” he added.
“Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed, you are not affected. While all that could change based on the actions of the criminals, its important to scope the situation and take the opportunity to stress that everyone should apply this update,” Toulouse said.
The MSRC is using its blog to communicate guidance in the early stages of the attack.
“Amazingly, this new variant of Mocbot still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and IP addresses associated with the command-and-control servers are almost all located in China,” LURHQ said in an advisory.
Historically, Chinese ISPs and government entities have been less than cooperative in taking action against malware hosted and controlled from within their networks, the company said.
On Aug. 13, a second variant of the Trojan was detected, confirming fears that botnet herders are already playing cat-and-mouse with anti-virus vendors.
The Trojan copies itself to the system directory as “wgareg.exe,” and creates a service to run at startup called “Windows Genuine Advantage Registration Service,” a sign that the attackers are using Microsofts anti-piracy mechanism in a social engineering trick.
It adds a description that attempts to discourage victims from stopping the malicious service. It reads: “Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.”
F-Secure, an Internet security vendor in Helsinki, Finland, said the backdoor generates a random nickname, joins a password-protected IRC channel and waits for commands from a channel operator.
The backdoor also uses an auto-spreading mechanism. “When a hacker initiates a scan within a defined range of IP addresses, the backdoor attempt to connect to the selected IPs and to send the exploit there. If a remote computer is vulnerable, it becomes infected with the backdoor,” F-Secure said in an alert.
The IRC servers controlling the bots are hosted at “bbjj.househot.com:18067” and “ypgw.wallloan.com:18067,” F-Secure said, urging network administrators to monitor connection attempts to those hosts.
The attacks come less than a week after Microsoft issued the “critical” MS06-040 bulletin with patches for a “critical” Server Service flaw. Over the last few days, Microsofts security response unit has been bracing for the worst after exploit code that offers a blueprint for attacks began circulating on the Internet.
The Redmond, Wash., software maker also issued a formal advisory to confirm the existence of public exploits.