Hackers Exploit Windows 'MS06-040' Security Vulnerability

As expected, an attack against Windows PCs developed over the weekend, although it came in the form of one-at-a-time bot pinpricks rather than a massive hammer of a worm, security experts and Microsoft said Sunday.

The bot has been dubbed with several names by security firms, including "Graweg," "Mocbot," "WGAReg," and "Cuebot." It uses an exploit published last week that leverages a vulnerability disclosed last Tuesday, Aug. 8, to compromise computers and add them to a botnet. The vulnerability in Windows Server service, which was patched by Microsoft in its security bulletin MS06-040, was widely pegged as the most dangerous of the month's lot. Several security analysts had predicted that an attack against unpatched PCs would soon begin, possibly as early as the weekend.

On Saturday and Sunday, security companies detected two variants, noted that once installed they were able to control AOL Instant Messenger if it was present on the compromised computer, and linked the bot herders' controlling systems to a pair of IP addresses in China. Most security vendors also agreed that this new attack malware was a close cousin to several earlier bots, each of which relied on a different Windows vulnerability to grab PCs.

"So far, this appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," wrote Stephen Toulouse, program manager with the Microsoft Security Response Center, in a posting late Saturday. "In fact, our initial investigation reveals this isn't a worm in the 'autospreading' classic sense, and it appears to target Windows 2000."

Notwithstanding Toulouse's classification of the bot, several security vendors, including Symantec, Sophos, and McAfee, categorized Graweg.a and Graweg.b as "worms." Whatever the nomenclature, the risk remains low for now, said Microsoft.