Big Boost in Zombie PCs From Latest Windows Exploit
The average number of new zombie PCs recorded each day by CipherTrust has jumped since Aug. 14 to 263,000 from 214,000, Dmitri Alperovitch, research scientist for the Alpharetta, Ga., company said. The increase has been blamed on the most recent version of Mocbot, also called Wargbot and Graweg, which exploits the Windows flaw patched Aug. 8 by Microsoft.
The increase itself is not a surprise, given that spikes in the number of PCs commandeered by virus writers to spew spam or malware often go up when new worms or vulnerabilities are disclosed. What is unusual in this case, however, is how the machines are being infected.
The malware, which used a botto take control of a PC, is entering many machines through port 445, which security experts believed is no longer used by most companies.
Port 445 is used to listen for Windows services on local area networks.
"There's no reason to expose this port to the Internet," Alperovitch said. "A lot of companies block it. It's surprising that we still have people getting infected (through the port)."
CipherTrust expects the daily number of new zombies to return to normal over the next week, as people start patching their machines.
"We're seeing a trend in that direction," Alperovitch said.
Among the first commands a Mocbot-infected PC receives is to download another piece of malware, the spam proxy Trojan horse dubbed Ranky. The latest Mocbot hit the Internet Aug. 12 and has been ranked as a low threat by most security vendors and experts.