Hackers Exploit Windows 'MS06-040' Vulnerability

The bot has been dubbed with several names by security firms, including "Graweg," "Mocbot," "WGAReg," and "Cuebot." It uses an exploit published last week that leverages a vulnerability disclosed last Tuesday, Aug. 8, to compromise computers and add them to a botnet. The vulnerability in Windows Server service, which was patched by Microsoft in its security bulletin MS06-040, was widely pegged as the most dangerous of the month's lot. Several security analysts had predicted that an attack against unpatched PCs would soon begin, possibly as early as the weekend.

On Saturday and Sunday, security companies detected two variants, noted that once installed they were able to control AOL Instant Messenger if it was present on the compromised computer, and linked the bot herders' controlling systems to a pair of IP addresses in China. Most security vendors also agreed that this new attack malware was a close cousin to several earlier bots, each of which relied on a different Windows vulnerability to grab PCs.

"So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," wrote Stephen Toulouse, program manager with the Microsoft Security Response Center, in a posting late Saturday. "In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000."

Notwithstanding Toulouse's classification of the bot, several security vendors, including Symantec, Sophos, and McAfee, categorized Graweg.a and Graweg.b as "worms." Whatever the nomenclature, the risk remains low for now, said Microsoft.

"This is rated as a low threat and doesn't at this time replicate automatically from machine to machine," wrote Adrian Stone, another MSRC program manager, on the center's blog Sunday. "It's impact in terms of infection base appears to be extremely small. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions."

Ken Dunham, director of VeriSign iDefense's rapid response team indicated the threat might be more serious. "Bot herders are leveraging the MS06-040 vulnerability to attack non-compliant corporate computers and thousands of consumer computers over the following days and months," said Dunham, in an e-mail to TechWeb on Sunday.

Ironically, the bots were using Windows Genuine Advantage -- Microsoft's controversial anti-piracy program -- to disguise their malicious activity on infected computers. According to an alert posted by Chicago, Ill.-based LurHQ Security Services, the bots create a service to run at startup called "Windows Genuine Advantage Registration Service" or "Windows Genuine Advantage Validation Monitor."

"The description given to the [first] service reads 'Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability,' reported LurHQ "[It's] an attempt to discourage users from stopping [the service] from running."

Although most security companies tagged the bots as low on their threat charts -- Symantec, for instance, judged it as a "2" in its 1 through 5 system -- and most anti-virus vendors had new signatures to detect them in place by late Sunday, there were concerns that the situation wouldn't stay stable.

"[The AIM control] could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP," said LurHQ's warning. "Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445."

Microsoft repeated last week's recommendation, and urged all Windows 2000, XP, and Server 2003 users to patch as soon as possible. The MS06-040 fix can be obtained here, or through Microsoft's normal automated update services or applications.