01 September 2006, 13:07

Windows worm causing increased net activity

The Internet Storm Center is reporting increased Internet-based attacks on Windows systems at present. The Vanebot-A worm, which attempts to infiltrate vulnerable computers through the hole in the Windows Server service(MS06-040), is the likely culprit, they report. One indication for this is the high number of access requests for TCP port 139 (NetBIOS session), through which the worm plants and executes malicious code on the affected system. A first IRC bot exploiting the hole was already up and running a week after the publication of the security hole on the Net. Depending on the version, the malware is capable of infesting Windows NT, Windows 2000 or potentially even Windows XP systems.

Port 139 should not be accessible from the Internet for safety reasons. Yet it appears that more and more systems are connected to the Net without a firewall. CipherTrust, a manufacturer of security solutions, in the past few weeks has tracked a strong increase in PCs that have been converted into zombie PCs through security holes--up from 214,000 to 265,000 daily--and which are now being harnessed to stream out spam. Alongside the lack of firewalls, another problem is the failure of many users to heed the warnings to promptly install updates from Microsoft.

Vanebot-A is a classic IRCbot; after infection, it opens a connection to the IRC server at forum.ednet.es using port 4915 and receives instructions. It possesses functions related to DDos attacks and the downloading of further files, among others. It also attempts to steal login information about eBay, e-Gold, PayPal and other banks. Beyond the hole in the Server service, Vanebott also exploits older vulnerabilities to try to infiltrate the system, namely those described by Microsoft in its bulletins MS04-007, MS05-017 and MS05-039. Several manufacturers of antivirus software have already made signatures available to recognise the malware.

Please see also: