Worm exploiting Microsoft vulnerability developing into botnet

The “W32.Downadup” worm, exploiting the patched Microsoft's Windows Server Service (MWSS) vulnerability, is the key component in a developing botnet, researchers at Trend Micro said this week.

Last week, the same worm generated attention when it caused Symantec to raise its ThreatCon level.

The worm infected a large pool of computers, which has formed the basis of the botnet, researchers said in a blog post.

"Whoever launched the worm is part of the group that's responsible for making this a botnet," Ivan Macalintal, research project manager at Trend Micro, told SCMagazineUS.com on Tuesday, adding that he is unsure yet what the bot is being used for.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

In a blog post dated Nov. 25, Microsoft researchers warned that malware it detected as “Worm: Win32/Conficker.A” had recently gained momentum, exploiting the MWSS vulnerability and spreading within corporations and to home users.

On Oct. 23, Microsoft issued an out-of-cycle emergency patch, with the security bulletin MS08-067. Since the vulnerability was patched, exploits have continually surfaced, gaining the attention of security vendors and bloggers. The same day that the patch was issued, public proof-of-concept code was released.

Also, in early November a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g” and a trojan called “Gimmiv.” By mid-November, Microsoft reported it had identified more than 50 distinct exploits against the MWSS vulnerability, and an additional worm, “Win32/Wecorl.A,” was reported. 

Microsoft has recommended that customers immediately apply the available security update for affected products.