MocBot Exploits MS06-040 Vulnerability

When Microsoft released the monthly security bulletins on August 8, we blogged that the Windows Server Service vulnerability (MS06-040) was a worm candidate. Exploit code was released to the Internet community on August 10, and the first IRC bots to exploit this vulnerability were discovered in the wild on August 12, all in 4 days.

Without surprise, the bot, IRC-MocBot!MS06-040, is apparently a quick hack from its precedent, IRC-MocBot, with an updated exploit module using publicly available code. It uses the same replication mechanism and even connects to the same hostnames as it did in October 2005.

At the time of writing, the exploit used in two similar variants of this threat are targeting Windows 2000 systems which are not equipped with default Windows firewall or memory protection – both features introduced in Windows XP Service Pack 2 and Windows 2003 Service Pack 1. Even so, this threat may still infect other systems by enticing users into downloading the malware by means of instant messaging, e-mail or other vectors. Once infected, it can then scan for vulnerable systems in your corporate networks.

IRC-MocBot!MS06-040 variants can be detected by McAfee VirusScan using the latest DAT set. More information on IRC-MocBot!MS06-040 is available at http://vil.nai.com/vil/Content/v_140394.htm.

The exploit contained in this threat will not affect you if your Windows systems are updated with the latest MS06-040 patches from Microsoft. Reiterating Monty’s advice from his blog, there is no better reason to review your deployments now.