Correction: First MS05-047 malware found
Update:
McAFee's AVERT sez:
After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.Earlier:
Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them.
Mikko writes over on the F-Secure "News from the Lab" blog:
We're currently looking at a botnet client known as "Mocbot".
This botnet client has been spread using the MS05-047 vulnerability. This is the first case of using this vulnerability in malware we've seen.
Symptom of an infection is the existance of a file called wudpcom.exe in the SYSTEM directory.
The botnet client tries to connect to two IRC servers in Russia, but the servers seem to be down (or overloaded). Info on this PnP vulnerability (not to be confused with the MS05-039 vulnerability used by Zotob) is available from the Microsoft web site.
Patch against this vulnerability was published in the last monthly update set from Microsoft. Patch now.
The vulnerability can be exploited via 139/TCP and 445/TCP.
posted by Fergie @ 10/24/2005 11:26:00 AM
0 Comments:
Post a Comment
<< Home