August 14, 2006 1:08 PM PDT

Worm duo tries to hijack Windows PCs

Related Stories

Microsoft on worm watch

August 11, 2006

Homeland Security: Fix your Windows

August 9, 2006

Another hefty patch month for Microsoft

August 8, 2006

Hacking for dollars

July 6, 2005
Two worms based on a recently disclosed Windows flaw have been unleashed, but the attacks so far don't appear to be widespread, security experts said.

The pair of worms surfaced over the weekend, several security companies said in alerts. The malicious software tries to hijack the computer for use in a network of commandeered PCs that can be remotely controlled, popularly called a botnet. The worms also can communicate via AOL's Instant Messenger and may be able to spread via the service.

"This is run-of-the-mill malicious software," said Don DeBolt, director of the Security Advisor group at CA, formerly known as Computer Associates. "The malware purveyors are simply packaging their old wares with the new exploit."

The worms are derivatives of the original Cuebot family that first surfaced last year, DeBolt said. These variants have been programmed to exploit a serious flaw in a Windows component related to file and printer sharing. Microsoft issued a patch for the security hole last week in security bulletin MS06-040. Security experts had already predicted that the flaw would spawn a worm attack.

Neither of the variants is very widespread, according to Microsoft, which calls them "Graweg."

"This appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," Stephen Toulouse, a program manager in Microsoft's Security Technology Unit, wrote on a corporate blog Saturday.

The MS06-040 worms appear to be limited to computers running Windows 2000. That's because the computer code used to exploit the vulnerability is most effective on computers with that older operating system, DeBolt said.

"Windows XP is appearing to be more difficult to exploit than its sister platform Windows 2000," he said.

Some security experts have said the age of the high-impact, Internet-wide worm is over. Instead, increasingly organized cybercriminals are looking to exploit flaws directed at specific companies for financial gain and want to fly under the radar. Criminals use botnets to relay spam, distribute spyware and launch other online attacks. A widespread worm could affect the performance of the Internet--a disruption that could also disrupt their means of business.

For the new worms to propagate, the attacker must instruct a compromised machine to scan for new targets, DeBolt said. A vulnerable computer can be compromised remotely and without any user interaction, he said.

"We are not seeing a widespread epidemic at this time, but we do see increased activity on TCP port 445," DeBolt said, referring to the network port used by the vulnerable Windows service.

Security experts expect that the computer code that exploits the MS06-040 flaw will be perfected and popular among miscreants looking to take over Windows systems. "We will see a number of different viral and spyware packages that utilize this exploit as it reaches a large audience," DeBolt said.

To protect their computers, Windows users are urged to install Microsoft's patch. All Windows versions are vulnerable, the software maker said. The fix is available via the Windows Update and Automatic Updates tools, as well as for download on Microsoft's Web site. The company has workarounds for people who cannot apply the patches yet, because they need to test it first, for example.

See more CNET content tagged:
worm, malicious software, flaw, attack, Computer Associates International Inc.

10 comments

Join the conversation!
Add your comment
Still no viruses
Still no viruses for Mac OSX............. 5 years and counting!
Posted by Europodboy (298 comments )
Reply Link Flag
cme-4
<a class="jive-link-external" href="http://cme.mitre.org/data/list.html#4" target="_newWindow">http://cme.mitre.org/data/list.html#4</a>

look for cme-4
Posted by MaxRock17 (11 comments )
Link Flag
And You Also Know Why
You know very well that the reason none of the worms or viruses that take advantage of OSX flaws are in the wild is because it's not financially rewarding to create such malware and it also doesn't give anyone the bragging rights of infecting potentially millions of users.

I'm not being critical of the Mac, Apple have produced a great computer with a good OS, but while big business and possibly more importantly, home users in their tens of millions, don't use Macs for their banking, bill paying, shopping (or more importantly, answering surprisingly rich Nigerians with curiously no method of transfering their money) - owners of spam botnets won't be interested in releasing worms for OSX.
Posted by ajbright (447 comments )
Link Flag
20 years and counting for....
Over 20 years and no viruses for the Atari ST. BTW, the Mac has been around for those 20 years as well. Does this mean the Atari ST is four times better?
Posted by Seaspray0 (9714 comments )
Link Flag
More evidence
...that malicious software writers simply don't care about the Mac. Apple have patched several expliotable flaws this year, for both Mac OS and its bundled software, and yet no serious exploits have emergered. But patched Windows flaws seem a good target for the writers.

If I were a Mac user I would not be trying to persade people to switch, I would just be enjoying the lack of attention.
Posted by Andrew J Glina (1673 comments )
Reply Link Flag
Different viruses are infecting many computers these days and one of these viruses is the conficker worm. Virus is a kind of computer program that aims to infect the computer without permission of the owner. Moreover, this conficker worm has infected thousands of computers and it's expected to infect thousands more. The Conficker virus is a nasty little worm that trolls for information, like passwords, credit card and debit card numbers, and it was supposed to download all of the information it has stolen already on the first of April. It has not happened yet, but it would be worth a payday cash advance loan for security programs to ward off the computer infection. It works by tracking keystrokes, and if it mines your bank information, you may end up getting a payday cash advance loan to undo damage done by Conficker. Read more at http://personalmoneystore.com/moneyblog/2009/04/04/confickeritis-escape-worm/
Posted by GianaC (2 comments )
Reply Link Flag
Different viruses are infecting many computers these days and one of these viruses is the conficker worm. Virus is a kind of computer program that aims to infect the computer without permission of the owner. Moreover, this conficker worm has infected thousands of computers and it's expected to infect thousands more. The Conficker virus is a nasty little worm that trolls for information, like passwords, credit card and debit card numbers, and it was supposed to download all of the information it has stolen already on the first of April. It has not happened yet, but it would be worth a payday cash advance loan for security programs to ward off the computer infection. It works by tracking keystrokes, and if it mines your bank information, you may end up getting a payday cash advance loan to undo damage done by Conficker. Read more at http://personalmoneystore.com/moneyblog/2009/04/04/confickeritis-escape-worm/
Posted by GianaC (2 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.