Hackers Back With Vengeance Against Windows 'MS06-040'

Users have been warned by Symantec and the Internet Storm Center of increased activity. This may imply a renewed series of SpyBot and worm attacks on Windows Server security vulnerability.

A spurt in activity has come to the notice of security companies and organizations, suggesting a flaw in Windows server that has been declared high dangerous at the beginning of August.

Recently on August 8, a new flaw was detected in midst of the release of twelve Microsoft security notices. Among them was MS06-040, a patch for a vital flaw in Windows server service. Initially security analysts highlighted the threat of a network worm attack, known as MSBlast as potentially harmful for the bug. However after a number of cases, the damage seemed to be negligible. In the tally by Symantec, there are six bots known to use the MS06-040 exploit.

Symantec issued a warning early on Thursday to those using its DeepSight threat management service. A new variation of SpyBot by the name of W32.SpyBot.AKNO was reportedly spreading.

This worm has awareness of networks with which it creates a point of entry on the infected computer. The worm was detected as a family that spread by means of the Kazaa network for mlRC and file sharing. It is also capable of spreading to computers already infected with the more common 'back door' Trojan horses or linked by shared networks that have inadequate password protection.

A number of functions can be performed by W32.Spybot.AKNO on connecting to a IRC server that can be configured by using a particular channel for listening to the instructions. Once a bot gains access to a system, it downloads other malicious code for the purpose of hijacking the computer in order to turn it into a spam zombie or to carry out other crimes. It also comes equipped with rootkit, a code that shields worms and bots making them more difficult to be detected by antivirus software's.

Reports have also been received by Symantec of a worm in the wild that uses MS06-040 vulnerability to target computers on Windows NT 4.0. Cole elaborates that there has been increased activity to take advantage of this vulnerability. Every time an exploit is let out, there's a rush with everyone wanting to include it.

The advice from both Symantec and ISC is for users to use the patch to correct the MS06-040 flaw. In case of the patch not being possible or available, like for Windows NT users, filtering should be done or TCP ports 139 and 445 be blocked.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 9/7/2006