Exploits Emerge for Microsoft Vulnerability

MS06-040, expected to be precursor to a major worm, may instead morph into a botnet

Security researchers have spotted the first attacks designed to exploit the critical vulnerability exposed in Microsoft Windows last week.

The vulnerabilities emerged as part of Microsoft's MS06-040 security patch, rolled out last Tuesday. (See Microsoft's Big Patch Day.) However, these initial exploits take the form of a low-risk botnet, rather than the damaging worm that many experts still expect.

The botnet, which has been called Cuebot-L, Graweg, and Mocbot, spreads like a worm via AOL Instant Messenger. Once it infects a PC, it turns off the Windows firewall and opens a back door, allowing remote attackers to gain access and control, according to researchers at SophosLabs.

Researchers at LURHQ Corp., a Chicago security management firm that has studied the botnet/worm, say there are two variants of the worm so far. The code is actually a modified version of an exploit that was written last year to take advantage of Microsoft's MS05-039 PNP vulnerability, they say.

The botnet is a relatively low-level threat and is remedied by the Microsoft patch, the researchers say.

Security experts continue to hunt for other, more dangerous attacks that exploit the MS06-040 vulnerability, which is considered to be a real danger because it provides a relatively easy way to gain remote access to PCs and laptops. (See How to Protect Against the MS06-040 Attack.) HD Moore, co-creator of the Metasploit Framework, publicly released his exploit on Thursday, and Symantec confirmed that Moore's code results in a denial-of-service attack.

— Tim Wilson, Site Editor, Dark Reading

  • Microsoft Corp. (Nasdaq: MSFT)
  • Sophos plc
  • Symantec Corp. (Nasdaq: SYMC)
  • Editors' Choice
    Jai Vijayan, Contributing Writer, Dark Reading
    Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading