Slashdot Mirror
Botnet Herders Attack MS06-040 Worm Hole
Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."
They know where its coming from, but the Chinese are still pissed at Jack Bauer so they won't shut it down.
actually, they say its the same server thats been running for months:
Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.
liqbase
Notice: This worm cannot target Server 2003 or XP SP2, in fact, no exploit for them has been found. The basic flaw exists, but the stack guards used on all newer versions of Windows (post-security-push) trips all as of yet attempted attacks. To be really safe however make sure you update Server 2003 and XP SP2 machines anyway!
Modern botnet command-and-control IRC servers don't give out information like who else is connected. In this Mocbot C&C, you join the channel, get an encrypted command (in the channel topic) which tells the bot to join another channel. In that channel, another encrypted command in the topic tells the bot to download and execute a trojan (which currently is detected by some AV as Trojan-Proxy.Win32.Ranky.fv).
The reason for all this subterfuge is, if the AV companies aren't spying on the control channel, they have no way to know about the second-stage infection, unless they get lucky - so even if they do clean the Mocbot infection, the proxy trojan still resides on the machine.
What are you talking about? The "Server" service is the component (handles file, printer, named pipe sharing, etc), and is very easily stopped or disabled.
Yes, actually there is a remove command built in to Mocbot. However, you have to issue the command from the proper user@host mask; something you can't do unless you have admin access to the IRC server.
An alternative is to use DNS to redirect the bots to a blackhole IRC server where the remove command can be executed. Of course, this only works if you have control over the DNS (e.g. an ISP redirecting their own users). Getting someone responsible for the authoritative DNS server is not likely to happen given the Chinese origin.
It's interesting to note that the Microsoft Security Bulletin [microsoft.com] does not disclose the component of the "Server Service" that is subject to the vulnerability. Yes, actually, the bulletin does. The problem is within Netapi32.
Actually it's a PC who is running Windows with open Microsoft Networking ports open while connected to the Internet. Big difference. There are many holes over the years that have been exposed with the NT LAN Manager networking stack that have led to these ports being blocked at the firewall as standard practice. Going back to 1997 from what I recall someone could open up an anonymous IPC$ pipe with an NT box and create their own admin account. Things have improved since then, but anyone who has these ports up and listening on the Internet is an idiot. Back in 2000 my company got its first DSL router for Internet acccess. Even that hardware came with an option just called "Microsoft Networking" blocks. Of course patch your boxes. Keep them updated. This would avoid some local host getting something propagated through your LAN/WAN. But as for the Internet aspect, God knows people should have learned. Ports 137, 138, 139, and 445 should be nowhere to be found from the Internet!
I just thought I'd take a moment out of my busy day to inform you that you don't need to install WGA if you don't want to. You can still continue patching your machine. Why, just the other day I got the latest security updates from Microsoft. WGA isn't being forced on anyone who is savvy enough to know that they don't want it.
SRSLY.
I shouldn'ta hava to remind ya, every star trek techno babble contains a mention of the deflectors.
This all goes back to the two main problem with computer security: 1.) People who are barely technically proficient to safely operate a toaster are operating computers that require a considerable amount of technical knowlege to safely operate. 2.) The vendor that provides the vast majority of the OS and office suite patches has a less than stellar track record at producing bug-free patches (the patch process has also has been known to introduce what some people consider to be malware masquerading as critical patches).
These computer end-users are the same people that have to be told:
Do not operate toaster outdoors in a wet location.
Do not insert fork or other metal object into toaster slots.
Do not operate toaster while any part is under water.
Do not insert over-sized foods into the toaster.
Do not insert metal foil packages into the toaster.
Do not place plastic wrapped items into the toaster.
Failure to clean crumb tray may result in a risk of fire.