TELECOM Digest OnLine - Sorted: Spammers Jump on Latest MS Hole

Spammers Jump on Latest MS Hole

Paul F. Roberts (
Tue, 12 Sep 2006 20:28:39 -0500

By Paul F. Roberts

Security companies were gearing up for war last week, after Microsoft
released its August 'Patch Tuesday' security fixes. And for all the
hyperbole around one of those patches, MS06-040, it's a wonder we
aren't all hunkered down, Terminator style, warming ourselves by the
glowing embers of now-useless computers and trying to figure out how
to keep the cyborgs at bay.

Alas, dire predictions of massive worm outbreaks from security
vendors, and a stern warning from the U.S. Department of Homeland
Security, proved a bit overblown.

The security hole in question was rated 'critical' by Microsoft and is
in Windows' Server Service, a Windows component that provides support
for RPC and allows Windows users to share resources such as disks and
printers on a network. That makes it remarkably similar to the hole
the Blaster worm took advantage of and may explain the strong warnings
for companies to patch the hole, said Vincent Weafer, senior director
at Symantec Security Response.

"I think when you look at the nature of the vulnerability, it caused
people to be concerned. You can do remote connections [to vulnerable
computers] and not validate those connections, then get remote access,"
Weafer said.

Some of those fears were confirmed when reports surfaced, just days
after the Aug. 8 patch release, that computers infected with malicious
IRC 'bot' programs were scanning the Internet for Windows
systems that had the MS06-040 vulnerability and then using publicly
available code to exploit that hole and add vulnerable systems to bot
networks that are used to carry out denial-of-service attacks and
distribute spam.

The managed security service provider LURHQ analyzed one of those bot
programs, irc.mocbot, and found that it was being used to enlist
vulnerable computers for spam campaigns, with command and control
coming from servers in China, according to Joe Stewart, senior
security researcher at LURHQ.

Despite the dire warnings, however, reports of infections from mocbot or
other malicious code targeting MS06-040 are few and far between, and
there's no indication that a Blaster-style worm is in the offing,
experts said.

Part of the reason is improved security. Companies that have upgraded
to Windows XP SP2 or are using a third-party desktop firewall won't be
prey to the scanning IRC bots. Windows 2000 systems, which are
particularly vulnerable to exploitation through MS06-040, are harder
to find in enterprises, Stewart said.

The bigger picture is that worms such as Blaster are oh-so 2003.

"The big pandemic worm is not out there because nobody's motivated to do
it," Weafer said. "Spammers want to be low-key and low-intensity."

Copyright 2006 Yahoo! Inc.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Kevin Smith: "School Children Shrug Off Enmities in Cyberspace"
Go to Previous message: Reuters News Wire: "Morocco Jails Two For Disrupting U.S. Computers"
Next in thread: "Re: Spammers Jump on Latest MS Hole"
May be reply: "Re: Spammers Jump on Latest MS Hole"
May be reply: DLR: "Re: Spammers Jump on Latest MS Hole"
May be reply: Gordon Burditt: "Re: Spammers Jump on Latest MS Hole"
May be reply: "Re: Spammers Jump on Latest MS Hole"
May be reply: DLR: "Re: Spammers Jump on Latest MS Hole"
TELECOM Digest: Home Page