|
| From: | ixaoxe |
| Subject: | Please ensure your anti virus software is operational and fully up to date. Digital signature: edakgtozn |
| Date: | Mon, 18 Sep 2006 15:14:16 -0500 |
| User-agent: | Mozilla/5.0 (Windows; U; Win98; de-AT; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 |
http://www.eweek.com/article2/0,1895,2002966,00.asp
or if you don't trust this email:
Botnet Herders Attack MS06-040 Worm Hole By Ryan Naraine August 13,
2006
The first wave of malicious attacks against the MS06-040 vulnerability
is nderway, using malware that hijacks unpatched Windows machines for use
in IRC-controlled botnets.
The attacks, which started late Aug. 12, use a variant of a
backdoor Trojan
that installs itself on a system,
modifies security settings, connects to a remote IRC (Internet Relay
Chat)
server and starts listening for commands from a remote hacker,
according to early warnings from anti-virus vendors.
The MSRC (Microsoft Security Response Center) described the attack
as
'extremely targeted'
and said it appears to be specifically targeting unpatched Windows
2000
machines.
'[This is] very much unlike what we have seen in the past with
recent Internet-wide worms,' said MSRC program manager Stephen
Toulouse.
'In fact, our initial investigation reveals this isn't a worm
in the 'auto-spreading' classic sense,' he added.
'Very few customers appear to be impacted, and we want to stress
that
if
you have the MS06-040
update installed, you are not affected. While all that could change
based
on the actions of the criminals, it's important to scope the
situation
and
take the opportunity to stress that everyone should apply this update,'
Toulouse said.
The MSRC is using its blog to communicate guidance in the early stages of the attack.
According to the LURHQ Threat Intelligence Group, the attackers are
using a
variant of the Mocbot trojan that was used in
the Zotob worm attack in August 2005.
'Amazingly, this new variant of Mocbot still uses the same IRC
server
hostnames as a command-and-control
mechanism after all these months. This may be partially due to
the
low-profile it has held, but also may be due to the fact that the
hostnames
and IP addresses associated with the command-and-control servers are
almost
all located in China,' LURHQ said in an advisory.
The Redmond, Wash., software maker also issued a formal advisory to
confirm the existence of public exploits.
Regards
Exetel Management
Exetel Pty Ltd
---------------------------------------------------------------------
Please note: you can not
reply to this email.
Digital signature: zqalais
| [Prev in Thread] | Current Thread | [Next in Thread] |