MS06-040 Exploit alert: W32.Wargbot
In an earlier blog regardingMicrosoft’s recent vulnerability announcement, MS06-040 (Server servicevulnerability) was discussed, along with how this issue would beexploitable for worm-based attacks. Although there were samples ofproof-of-concept exploits released last week, it was pretty quiet onthis front, until now. We have now seen our first real, in-the-wildstyle attack leveraging MS06-040.
Here's what we know so far:
• On August 12, 2006 Symantec Security Response detected a new exploitbased on MS06-040, dubbed W32.Wargbot. This is a network-aware wormthat leverages the described vulnerability to spread itself onvulnerable machines. Once on the compromised machine, W32.Wargbot thenproceeds to open an IRC backdoor.
• In response to this new attack, Symantec has released AV signaturesspecific to W32.Wargbot; however, generic detections have beenavailable since July 6, 2006. Customers with AV definitions prior tothe 20060813.004 release may see this threat detected asBackdoor.IRC.Bot or W32.Mocbot.B.
• Additionally, customers with Symantec's IPS-enabled products such asSymantec Client Security, Norton Antivirus, and Norton InternetSecurity have been proactively protected from such exploits ofMS06-040, as early as within two hours of Microsoft's initialdisclosure of the vulnerability on August 8, 2006.
Update - August 14, 2006:
On August 14, 2006 Symantec Security Response has seen a slight pick upin the activity of W32.Wargbot. This is perhaps due to people returningto work after the weekend, finding that their computers have becomeinfected (or, at least, are coming under attack from this threat).
W32.Wargbot has now been assigned a Common Malware Enumeration (CME)identifier (CME-482) to aid the cross referencing of the Malwarebetween Security Software vendors. A full description is available forW32.Wargbot. You can view the description here.
The command and control servers for W32.Wargbot, while overloaded,are still functioning. Security Response has been monitoring theinstructions received from the command and control servers. As of2:00PM GMT, infected machines are instructed to download anotherbackdoor from http://media.pixpond.com/. This backdoor does not useIRC, but listens on a random port. The backdoor notifies the author ofthe infected IP address and port by sending a UDP packet with theinformation to another domain.
Symantec Security Response recommends that customers protectthemselves by installing the latest Microsoft patches, as well asensuring that their security solutions are kept current with the latestsecurity updates. As always, we will closely monitor furtherinformation related to this event and will provide updates and securitycontent as necessary.
Update - August 15, 2006:
We now know the purpose of W32.Wargbot, as it stands today. Asmentioned before, W32.Wargbot joins an IRC channel and is instructed todownload a copy of Backdoor.Ranky.X.Once Backdoor.Ranky.X is installed, it sends an "I am here" packet to aserver on the yu.haxx.biz domain. This server then connects back to thecompromised computer and instructs it to connect to a second server, onthe mxs.mail.ru domain, using TCP port 25. Anything received from thesecond server is then passed back to the attacker using the compromisedcomputer, and vice versa. Thus, it is working as a proxy to send SPAM.