Worm exploiting Microsoft vulnerability developing into botnet

Share this article:

The “W32.Downadup” worm, exploiting the patched Microsoft's Windows Server Service (MWSS) vulnerability, is the key component in a developing botnet, researchers at Trend Micro said this week.

Last week, the same worm generated attention when it caused Symantec to raise its ThreatCon level.

The worm infected a large pool of computers, which has formed the basis of the botnet, researchers said in a blog post.

"Whoever launched the worm is part of the group that's responsible for making this a botnet," Ivan Macalintal, research project manager at Trend Micro, told SCMagazineUS.com on Tuesday, adding that he is unsure yet what the bot is being used for.

Researchers at Trend reported that 500,000 unique hosts have been infected across the globe. Macalintal said that because of the behavior of the worm, he expected to see the botnet grow bigger and produce more variants.

In a blog post dated Nov. 25, Microsoft researchers warned that malware it detected as “Worm: Win32/Conficker.A” had recently gained momentum, exploiting the MWSS vulnerability and spreading within corporations and to home users.

On Oct. 23, Microsoft issued an out-of-cycle emergency patch, with the security bulletin MS08-067. Since the vulnerability was patched, exploits have continually surfaced, gaining the attention of security vendors and bloggers. The same day that the patch was issued, public proof-of-concept code was released.

Also, in early November a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g” and a trojan called “Gimmiv.” By mid-November, Microsoft reported it had identified more than 50 distinct exploits against the MWSS vulnerability, and an additional worm, “Win32/Wecorl.A,” was reported. 

Microsoft has recommended that customers immediately apply the available security update for affected products.

Share this article:

Sign up to our newsletters

More in News

Instagram iOS and Android apps vulnerable to session hijacking

Two researchers wrote about the Instagram app for iOS and Android is vulnerable to session hijacking because both send unsecured information through HTTP.

Report: Hackers stole data from Israeli defense firms

A report by Brian Krebs detailed the intrusions, which occurred between Oct. 2011 and Aug. 2012.

Neverquest trojan targets regional banks in Japan

Symantec researchers found a new variant of the banking trojan.