Our honeypot network started firing off alerts mid-afternoon/evening on the 12th. The detection was triggered because of our Blink systems which were running on Windows 2000 with no patches installed except for service pack 4. The Blink IPS was set to block all attacks, except for the MS06-040 server service vulnerability. For this IPS protection was set to log only, that way our system could be infected and a full network capture and file trace could be performed. I wont bore you with all of the other details of the system... except that if your a University or have a large network and would like to be part of our growning group of Blink honeypot networks then contact [email protected] directly. But more on the automated malware that is spreading...
As mentioned previously the malware spreads by exploiting systems using the MS06-040 vulnerability which we previously "bloged about" and have also previously released a free scanning tool for. So far from the samples we have gathered the payload looks only to work on Windows 2000, which makes sense since most of the exploits released were more common for Win2k than other platforms.
Once the malware has infected your system it will setup a bot which sits on IRC and can be used by attackers to send commands to control your system to perform things such as DDoS attacks. This is typical functionality of any botnet style system.
Anyone who is using an IPS, such as Blink (its our blog, we will pimp our warez ;-)), is protected from this automated malware leveraging MS06-040. I think most IPSs should stop this attack by now, or i'd hope so.
For those of you though who are still sitting only depending on anti-virus your probably not in as much luck. When we first started to see the attacks come in we ran the malware components through a few anti-virus and this was the results:
McAfee 4827/20060811 found nothing
Microsoft 1.1508/20060804 found nothing
Kaspersky 4.0.2.24/20060813 found nothing
Symantec 8.0/20060813 found nothing
Sophos 4.08.0/20060812 found nothing
CA eTrust 23.72.94/20060812 found nothing
Not to beat a dead horse but lets just all say it again: Anti-Virus is completly reactive technology. But actually that is not fair because we are about to announce Anti-Virus within Blink and the technology we use generically detected these malware components without requiring any sort of updates. So not all Anti-Virus technology is reactive, just most of the major players are.
We will be posting more specifics later on but right now we wanted to make sure everyone recieved a quick heads up that there is an automated piece of malware out there right now targeting systems at "random."
The real important aspect with anything like this is just that this event creates a fire under everyones *** to make sure they have patched all of their systems... and again when i doubt, use our free scanning tool and find out.
-eEye Research