Malware attacks Windows vulnerabilities
Two variants of the Mocbot IRCbot, which exploits a hole in the Windows server service, are making the rounds. Microsoft closed the vulnerability with August's Patch Tuesday, but the malware seeks unpatched Windows 2000 machines to infect. At the weekend Microsoft warned about the readily available exploit code, but have since updated their security advisory, now categorising the risk as low. Microsoft is clearly speaking of another virus, however, since Brian Krebs, the security specialist for the Washington Post, reports that the Mocbots are not recognised by Microsoft's antivirus solution at all.
Once a computer is infected, the Mocbot variants establish a connection to an IRC server and await instructions from the botnet operator. The server address is now known: Mocbot connects on TCP port 18067 to bniu.househot.com as well as ypgw.wallloan.com, in the event that the first server cannot be reached. This is the same IRC server that was used by the original Mocbot variant.
Both IRCbot variants establish themselves as wgareg.exe and wgavm.exe in the Windows system. These files are then registered as Windows services Windows Genuine Advantage Registration Service and Windows Genuine Advantage Validation Monitor respectively, and start with system rights when the infected computer is booted up. The botnet operator can then transmit arbitrary commands to the infected computer; the malware includes routines for SYN floods, DDos attacks, opening a shell and functions for searching and infecting vulnerable computers, among other things. The infected computers may be intended for abuse by spammers. Antivirus software makers have begun delivering updated signatures that recognise these worms.
Meanwhile, additional malicious code has surfaced for the security holes closed on Patch Tuesday. The Internet Storm Center has reported malware that exploits the leak in the Windows help system. Users are warned against opening any unknown files, including Windows help files that arrive by email, for example. Exploits for security leaks in Internet Explorer were already active on websites even before being closed on Patch Tuesday. The patches released last Tuesday should be applied as soon as possible, where they have not already been installed by automatic update.
However, there are side effects associated with some of these patches, and computers that might be affected by these should be protected by other means; only trustworthy computers should be allowed to access them. For such unpatched computers, the administrators should close ports 139 and 445 to protect the server service against worms.
The side effects include the following. Security Update 921883 disrupts Microsoft's own product Navision under certain circumstances. This bug affects Windows Server 2003 with Service Pack 1, when programs try to allocate large contiguous memory blocks. Also, Microsoft has described a problem in which the installation of Update 918899 causes Internet Explorer 6 Service Pack 1 to exit unexpectedly. Another problem affects the German encyclopedia Brockhaus multimedial under Windows 2000 and XP (Security Update 917422, MS06-051).
- IRCBot.st, Malware description from F-Secure
- W32.Wargbot, Warning from Symantec
- IRC-Mocbot!MS06-040, Description from McAfee
- Public release of exploits against the windows help system, Warning from Internet Storm Center