Network News

X My Profile
View More Activity

Spammers Exploiting Newly Detailed Windows Flaw

Organized criminals already are taking advantage of a newly detailed security hole to hijack computers running Windows software and turn them into relays that spammers can use to send junk e-mail anonymously.

In an unusual move, the Department of Homeland Security last week joined Microsoft Corp. in urging businesses and consumers to quickly apply updates that Microsoft released Tuesday to fix nearly two dozen security problems with its various software. The flaw DHS and Microsoft were most concerned about -- a flaw in the "Windows server" built into every supported version of Windows -- is now being exploited by online crime groups, according to several different reports.

The SANS Internet Storm Center says attackers appear to be scanning the Internet for vulnerable machines unguarded by either the patch to remedy this flaw or a firewall to block unwanted traffic. The exploit appears to work mainly against unpatched Windows 2000 computers. Once infected, a W2K machine will connect back to the attacker's control channel and await further instructions, which could be to spread itself via AOL Instant Messenger, scan for other vulnerable targets, or join other infected computers , or "bots," in an attack on a targeted Web site.

According to analysis by Joe Stewart, senior security researcher with Chicago-based Internet security company LURHQ, the 'bot code is a variant of "Mocbot," which first surfaced last fall and targeted a similar flaw in Windows 2000 machines. This time, the attackers are uploading code to make infected machines very handy for relaying junk e-mail for spammers.

"It's almost certain that this attack is entirely spam-related," Stewart said.

Attacks that exploit this Windows flaw are likely to become a problem for a number of businesses in the coming week. Companies generally take at least a week -- often several weeks -- to test and deploy Microsoft on their networks, leaving them vulnerable to exploits that can sneak through perimeter defenses via infected laptops that employees plug into the internal network or from malicious links and/or attachments that arrive via instant message or e-mail.

In a security advisory on the 'bot code published at just after 2 p.m. ET today, Microsoft said it is "not aware of widespread customer impact" and that it has rated Win32/Graweg (the label the company assigned to this code) as a "low threat."

"At this time it does not appear to be a self replicating internet-wide worm," the company said. Low or not, Windows users are urged to download the patches ASAP.

Update, 8:06 p.m. ET: It may be that Microsoft in its advisory is talking about a different threat than SANS and LURHQ are highlighting. For one thing, Microsoft calls this threat "Win32/Graweg," but I could find no links in Google to any writeup on that either at Microsoft or another third-party anti-virus company. Secondly, I asked LURHQ's Stewart to re-scan the malware he wrote about in his report, and below is the report returned by the free anti-virus scanning service at VirusTotal. You'll notice that as of 4:39 p.m. ET Microsoft's own anti-virus service had not detected as malicious the threat that Stewart and SANS were pointing out. Also, next to the name of each anti-virus service is the date of their last update, followed by the results of the scan. The last update to Microsoft's one-care anti-virus service as of Sunday was Aug. 4.

AntiVir 6.35.1.0 08.13.2006 HEUR/Crypted.Layered
Authentium 4.93.8 08.13.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
Avast 4.7.844.0 08.10.2006 no virus found
AVG 386 08.11.2006 no virus found
BitDefender 7.2 08.13.2006 Backdoor.IRCBot.ST
CAT-QuickHeal 8.00 08.13.2006 Wargbot.b
ClamAV devel-20060426 08.13.2006 Trojan.IRCBot-689
DrWeb 4.33 08.13.2006 Win32.HLLW.Nert
eTrust-InoculateIT 23.72.95 08.13.2006 no virus found
eTrust-Vet 30.3.3016 08.13.2006 Win32/Cuebot.J
Ewido 4.0 08.13.2006 no virus found
Fortinet 2.77.0.0 08.12.2006 no virus found
F-Prot 3.16f 08.13.2006 Possibly a new variant of W32/Threat-HLLIM-based!Maximus
F-Prot4 4.2.1.29 08.13.2006 W32/Threat-HLLIM-based!Maximus
Ikarus n - no virus found
Kaspersky 4.0.2.24 08.13.2006 Backdoor.Win32.IRCBot.st
McAfee 4828 08.13.2006 IRC-Mocbot!MS06-040
Microsoft 1.1508 08.04.2006 no virus found
NOD32v2 1.1704 08.11.2006 a variant of Win32/IRCBot.OO
Norman 5.90.23 08.11.2006 W32/Suspicious_M.gen
Panda 9.0.0.4 08.13.2006 Suspicious file
Sophos 4.08.0 08.13.2006 no virus found
Symantec 8.0 08.13.2006 no virus found
TheHacker 5.9.8.191 08.13.2006 no virus found
UNA 1.83 08.11.2006 no virus found
VBA32 3.11.0 08.13.2006 no virus found
VirusBuster 4.3.7:9 08.13.2006 Backdoor.IRCBot.AAH

By Brian Krebs  |  August 13, 2006; 5:27 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Defcon 14 Wrapup, at Long Last
Next: The Black Hat Wireless Exploit Interview, Verbatim

Comments

You would think by now AV companies would be on the same page by now (or at least in the same chapter). Everyone wants to name the virus/worm themselves and it always causes confusion. Why can't they at least do an MD5sum on the file and include that in their advisory? At least then we can know for sure if it is the same one or not.

Posted by: David Taylor | August 14, 2006 6:20 AM | Report abuse

Hmmm. So among other findings, McAfee found the Mocbot variant, but Symantec didn't? Interesting...

Posted by: John Johnson | August 14, 2006 9:57 AM | Report abuse

A lot of people have noticed a new Iranian web site that purports to be President Mahmoud Ahmadinejad's blog, and a lot of blogs have linked to it.

But before you click through to the site (from somewhere else, I won't post the link here), make sure your virus prevention software is up to date--because it may try to exploit a weakness in Internet Explorer to install a "back door" in your computer. More details at http://olehgirl.blogspot.com/2006/08/pres-ahmadinejad-trying-to-infect.html

Posted by: Catawba | August 14, 2006 2:11 PM | Report abuse

Intersting how many programs reported "no virus found". THAT bothers me more than what it's called (allthough I agree on standardizing names).

Posted by: Jeff | August 14, 2006 2:31 PM | Report abuse

I quickly patched my Windows XP with these fixes and have suffered my first ever "blue screen of death" under Windows XP. This happens now with every new boot of the system. I have added no other software or hardware.

Posted by: Norman | August 14, 2006 3:48 PM | Report abuse

Thank you for the information! Now, if they would only find the attackers and put them in jail. I have asked MSN to do so and I am still waiting to hear back from them in this regard.

Posted by: PJ | August 15, 2006 9:27 AM | Report abuse

People still use Internet Explorer?

Posted by: JPY | August 15, 2006 2:19 PM | Report abuse

# To "Fred "no virus found".

You are absolutely right.
You ought to be bothered. Many spywares disconnect LiveUpdate giving this false information.
It won't take long until terror controlled spywares will give us a pop up window telling something like this:

----------------------

"This is a message for you Mr. XXX in person.

Your computer is compromised by spywares which cannot be detected nor erased by any antivirus software yet invented.
You are currently attempting to connect to your Internet bank. We suggest you to reconsider.
>From now on it's safe for you to visit your bank's physical office and pay your bills there.
If you decide to do so, we will leave you in peace.
On the other hand, in case you choose to proceed logging in to your Internet bank or give out your credit card online during eShopping we will steal your Identity and transmit it to a remote server and your ID will be sold on the Internet for criminal use.

First of all your address will be exchanged so you will never see what happens to you until too late. Somebody will then open new bank credits in your name as well as cashing in for your sold non-existing goods on auction websites whereon we will promote you. A mass of new credit cards will be opened in your name as well as a new passport, driver's license and an Identity card for withdrawing cash. Your home will be sold and your name will be used in several other lucrative ways. Your name will be hung out on the Internet in unwanted affairs. It's more or less guaranteed that your private economy and credit reports will be damaged for at least one decade to come. During that time you will be blocked in any bank and undergo FBI investigations for your organized frauds and recond at least one visit by a Police task force in your home or at your job.
Your two alternatives are clear. No further warnings will be made. The choice is yours.

This message is executed from a remote server awaiting your choice."
---------------------------------
Who would use online banks and credit fards after that?
I would be the first queuing at the bank the next morning to withdraw my savings in cash. And you?

We should be afraid , very afraid as this will give a lethal impact to our banks and economy far worse to Homeland than aircrafts exploding over the Ocean.

I recommend the newsletters "the register.com and vnunet.com. Comprehensive and unpleasant news for pros. there.

Rgds
William Palmborg
securasystem.com

Posted by: W. Palmborg | August 24, 2006 12:54 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company