Worm exploiting Microsoft vulnerability developing into botnet

Share this article:

The “W32.Downadup” worm, exploiting the patched Microsoft's Windows Server Service (MWSS) vulnerability, is the key component in a developing botnet, researchers at Trend Micro said this week.

Last week, the same worm generated attention when it caused Symantec to raise its ThreatCon level.

The worm infected a large pool of computers, which has formed the basis of the botnet, researchers said in a blog post.

"Whoever launched the worm is part of the group that's responsible for making this a botnet," Ivan Macalintal, research project manager at Trend Micro, told SCMagazineUS.com on Tuesday, adding that he is unsure yet what the bot is being used for.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

In a blog post dated Nov. 25, Microsoft researchers warned that malware it detected as “Worm: Win32/Conficker.A” had recently gained momentum, exploiting the MWSS vulnerability and spreading within corporations and to home users.

On Oct. 23, Microsoft issued an out-of-cycle emergency patch, with the security bulletin MS08-067. Since the vulnerability was patched, exploits have continually surfaced, gaining the attention of security vendors and bloggers. The same day that the patch was issued, public proof-of-concept code was released.

Also, in early November a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g” and a trojan called “Gimmiv.” By mid-November, Microsoft reported it had identified more than 50 distinct exploits against the MWSS vulnerability, and an additional worm, “Win32/Wecorl.A,” was reported. 

Microsoft has recommended that customers immediately apply the available security update for affected products.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.