Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Herders Attack MS06-040 Worm Hole

Posted by ryuzaki0 on from the worming-your-way-through-the-net dept.

Laljeetji writes "eweek reports that the first wave of malicious attacks against the MS06-040 vulnerability is underway, using malware that hijacks unpatched Windows machines for use in IRC-controlled botnets. The attacks, which started late Aug. 12, use a variant of a backdoor Trojan that installs itself on a system, modifies security settings, connects to a remote IRC (Internet Relay Chat) server and starts listening for commands from a remote hacker. On the MSRC blog, Microsoft is calling it a very small, targeted attack that does not (yet?) have an auto-spreading mechanism. LURHQ has a detailed analysis of the backdoor."

6 of 112 comments (clear)

  1. Whats gonna happen when Norton removes WGA? by LiquidCoooled · · Score: 5, Funny

    from the analysis:

    This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.

    Do we actually know which is the more malicious variant?

    --
    liqbase :: faster than paper
  2. Re:IRC the weakpoint? by LiquidCoooled · · Score: 5, Informative

    They know where its coming from, but the Chinese are still pissed at Jack Bauer so they won't shut it down.

    actually, they say its the same server thats been running for months:
    Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.

    --
    liqbase :: faster than paper
  3. A Solution... by nmb3000 · · Score: 5, Insightful

    Find a way to make the average user patch software.

    As wonderful as it would be if all software was completely bug free and contained no security holes, it's simply impossible. No product, be it OSS or commercial, is free of these banes. On the other hand, problems like this would nearly go away, if only users would patch the software. Whether it's a new exploit in Windows or Apache or phpBB, if you don't patch, you're going to get screwed. Yes, it seems like Microsoft products have more patches than average, but at least they have patches. Blaster and MyDoom? They'd have never hit the news if users were patched. Automatic Updates in XP is a great step forward, but it's still opt-in.

    Some people seem amazed when I say I had no direct problems with Blaster or Welchia, and they don't seem to get it that these problems essentially always appear after a patch is release which means there is no valid reason for their survival. Patch, patch, patch, patch, patch. Yes, slightly monotonous, but if users would simple do it, we'd stop seeing these equally monotonous news stories about Exploits of Doom.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
    1. Re:A Solution... by Ph33r+th3+g(O)at · · Score: 5, Insightful

      A good start would be for Microsoft to stop attaching new EULA conditions or spyware (e.g. WGA) as a prerequsite to getting patches conveniently.

      --
      I too have felt the cold finger of injustice.
  4. Re:IRC the weakpoint? by httptech · · Score: 5, Informative

    Modern botnet command-and-control IRC servers don't give out information like who else is connected. In this Mocbot C&C, you join the channel, get an encrypted command (in the channel topic) which tells the bot to join another channel. In that channel, another encrypted command in the topic tells the bot to download and execute a trojan (which currently is detected by some AV as Trojan-Proxy.Win32.Ranky.fv).

    The reason for all this subterfuge is, if the AV companies aren't spying on the control channel, they have no way to know about the second-stage infection, unless they get lucky - so even if they do clean the Mocbot infection, the proxy trojan still resides on the machine.

  5. Re:Wondering... by httptech · · Score: 5, Informative

    Yes, actually there is a remove command built in to Mocbot. However, you have to issue the command from the proper user@host mask; something you can't do unless you have admin access to the IRC server.

    An alternative is to use DNS to redirect the bots to a blackhole IRC server where the remove command can be executed. Of course, this only works if you have control over the DNS (e.g. an ISP redirecting their own users). Getting someone responsible for the authoritative DNS server is not likely to happen given the Chinese origin.