As many IT security experts predicted, malware taking advantage of a flaw patched by the Aug. 8 MS06-040 bulletin emerged over the weekend, but Microsoft experts maintain the exploit poses little threat.
"What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update," Adrian Stone, a Microsoft Security Response Center program manager, said Sunday on a company blog. "Thus far, we have not seen this attack impacting any other versions. We urge everyone to apply the update, however."
Several variants of worm-like bots, scanning for hosts left open to a critical Windows server service vulnerability that could allow an attacker to take remote control of a computer, have been identified. They spread by connecting to internet relay chat (IRC) servers, according to the SANS Internet Storm Center and security vendor F-Secure. The Windows server flaw has received widespread attention, even prompting the Department of Homeland Security to last week issue an unprecedented statement urging users to apply the latest patches.
Vulnerability management firm nCircle issued a statement on Friday, warning that a "significant worm attack is likely and imminent" as a result of the vulnerability, and it could rival the MSBlaster worm. The payload potentially is so destructive because the vulnerability is remotely and anonymously exploitable on all unpatched versions of Windows, said Minoo Hamilton, senior security researcher at nCircle.
"I think it's just a matter of time," he said today. "It really comes down to someone using the right propagation methods and getting something out there that really has legs."
But Stephen Toulouse of Microsoft's Security Response Center said in a blog posting Sunday: "So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent internet-wide worms. In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000."
"Very few customers appear to be impacted, and we want to stress that if you have the MS06-040 update installed, you are not affected," Toulouse added.
Security vendors have assigned several names to the bot, including W32.Wargbot and IRC-MocBot, while Microsoft refers to the malware as Win32/Graweg. Security firm Sophos has identified two variants – calling them Cuebot-L and Cuebot-M – that spread via AOL Instant Messenger. The worms disable firewalls and open a backdoor for hackers, according to a Sophos statement.
"There will be many Windows computers that will not have been patched yet and may be vulnerable to infection and compromise," said Graham Cluley, senior technology consultant for Sophos. "We wouldn't be surprised if more worms were released which exploited this security hole in Microsoft's software."
According to SANS researcher Swa Frantzen, network administrators should be on the lookout for infected laptops returning for internal use and infected machines that are scanning the network for vulnerable systems. "Check that all machines have been patched and rebooted," he said today on the SANS website. "We have confirmations that the patches are effective in stopping the initial attack."