Worm exploiting Microsoft vulnerability developing into botnet

Share this article:

The “W32.Downadup” worm, exploiting the patched Microsoft's Windows Server Service (MWSS) vulnerability, is the key component in a developing botnet, researchers at Trend Micro said this week.

Last week, the same worm generated attention when it caused Symantec to raise its ThreatCon level.

The worm infected a large pool of computers, which has formed the basis of the botnet, researchers said in a blog post.

"Whoever launched the worm is part of the group that's responsible for making this a botnet," Ivan Macalintal, research project manager at Trend Micro, told SCMagazineUS.com on Tuesday, adding that he is unsure yet what the bot is being used for.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

In a blog post dated Nov. 25, Microsoft researchers warned that malware it detected as “Worm: Win32/Conficker.A” had recently gained momentum, exploiting the MWSS vulnerability and spreading within corporations and to home users.

On Oct. 23, Microsoft issued an out-of-cycle emergency patch, with the security bulletin MS08-067. Since the vulnerability was patched, exploits have continually surfaced, gaining the attention of security vendors and bloggers. The same day that the patch was issued, public proof-of-concept code was released.

Also, in early November a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g” and a trojan called “Gimmiv.” By mid-November, Microsoft reported it had identified more than 50 distinct exploits against the MWSS vulnerability, and an additional worm, “Win32/Wecorl.A,” was reported. 

Microsoft has recommended that customers immediately apply the available security update for affected products.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.