Worm exploiting Microsoft vulnerability developing into botnet

Share this article:

The “W32.Downadup” worm, exploiting the patched Microsoft's Windows Server Service (MWSS) vulnerability, is the key component in a developing botnet, researchers at Trend Micro said this week.

Last week, the same worm generated attention when it caused Symantec to raise its ThreatCon level.

The worm infected a large pool of computers, which has formed the basis of the botnet, researchers said in a blog post.

"Whoever launched the worm is part of the group that's responsible for making this a botnet," Ivan Macalintal, research project manager at Trend Micro, told SCMagazineUS.com on Tuesday, adding that he is unsure yet what the bot is being used for.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

In a blog post dated Nov. 25, Microsoft researchers warned that malware it detected as “Worm: Win32/Conficker.A” had recently gained momentum, exploiting the MWSS vulnerability and spreading within corporations and to home users.

On Oct. 23, Microsoft issued an out-of-cycle emergency patch, with the security bulletin MS08-067. Since the vulnerability was patched, exploits have continually surfaced, gaining the attention of security vendors and bloggers. The same day that the patch was issued, public proof-of-concept code was released.

Also, in early November a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g” and a trojan called “Gimmiv.” By mid-November, Microsoft reported it had identified more than 50 distinct exploits against the MWSS vulnerability, and an additional worm, “Win32/Wecorl.A,” was reported. 

Microsoft has recommended that customers immediately apply the available security update for affected products.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Fake Dropbox login page nabs credentials, is hosted on Dropbox

Fake Dropbox login page nabs credentials, is hosted ...

Symantec researchers received a phishing email linking recipients to a fake Dropbox login page that is hosted on Dropbox's user content domain and served over SSL.

Hacker sentenced to 30 months in prison and $300k restitution

Hacker sentenced to 30 months in prison and ...

Lamar Taylor was sentenced in New Jersey this past week for allegedly participating in a cybercrime scheme that accounted for more than $15 million.

Progress on national breach notification law may stall

A bill, which would require a national reporting standard, has failed to make it before the Senate or House this year.