Windows Weathers Attack of the Bots

Security analysts warned Windows users about it -- and now it's happening.

Hackers launched an attack against Windows PCs over the weekend. The attack came disguised as one-at-a-time bot pinpricks, instead of the massive worm some had feared.

Also known as zombies, a bot is a type of malware that allows an attacker to gain control over an affected computer. There are potentially tens of thousands of computers infected with bots without their owners' knowledge.

This latest bot uses an exploit published last week that leverages a vulnerability disclosed on August 8, Microsoft's (Nasdaq: MSFT) last Patch Tuesday. Microsoft patched the vulnerability in Windows Server service in its security bulletin MS06-040.

Mocbots Arise

Mocbot variants, including Warbot and IRCBot, attacked in an attempt to gain unauthorized access to networks before administrators could physically test and roll out patches across large networks.

Most large networks require at least a week or more in order to patch vulnerable systems, according to VeriSign (Nasdaq: VRSN) iDefense's Rapid Response Team Director Ken Dunham.

"Bot herders are leveraging the MS06-040 vulnerability to attack non-compliant corporate computers and thousands of consumer computers over the following days and months," Dunham told TechNewsWorld. "Snort signatures are available to help detect possible MS06-040 exploit attempts."

Targeted Attack

"So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," wrote Stephen Toulouse, program manager with the Microsoft Security Response Center (MSRC), in a posting. "In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000."

Symantec (Nasdaq: SYMC), Sophos and McAfee called the attack a worm, despite Microsoft's description of the attack as a bot. Microsoft rates the attack as a low threat because it does not replicate automatically from machine to machine.

"Its impact in terms of infection base appears to be extremely small," wrote Adrian Stone, another MSRC program manager, in his blog. "What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions."

Don't Delay Deployment

Microsoft is still urging all Windows 2000, XP and Server 2003 users to implement the MS06-040 patch as soon as possible. The patch is available through Microsoft's automated update services or can be downloaded from Microsoft's TechNet site.

When Microsoft released its 12 patches last Tuesday, it was clear that this flaw was the most critical vulnerability, according to Marc Maiffret, eEye's co-founder and chief hacking officer.

"Once we identified this piece of malware, our research team knew that signature-based security technologies would be unable to detect it, which has been a common denominator for the vast majority of the new malware that our security team has seen," Maiffret said.

"For IT to effectively protect their networks against this type of threat, they either have to incorporate some type of non-signature-based endpoint protection or be prepared to drop everything on Patch Tuesday to patch their critical systems," he added.