Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ms05-039 -- Mocbot Irc Worm In The Wild


  • Please log in to reply
1 reply to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:35 AM

Posted 23 October 2005 - 06:31 AM

A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently. This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed this exploit was not used, as noted in the post below

MS05-039 -- Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htm

This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).

SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites

Information on the MS05-047 exploit, which attacks PnP security in a similar fashion to MS05-039 is noted below:

FrSIRT has also published POC code for ms05-047 exploit

Edited by harrywaldron, 24 October 2005 - 06:55 AM.


BC AdBot (Login to Remove)

 


m

#2 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:07:35 AM

Posted 24 October 2005 - 06:56 AM

After further testing McAfee/AVERT has confirmed this new IRCbot uses MS05-039 from August. Thankfully, a little more time remains to complete corporate updates. Still, with at least 4 published exploits from October in the wild, it's critical to test and patch all PCs and Servers quickly

-- AVERT/McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users