Sunday, August 13, 2006

IRC bot uses 5 days-old exploit MS06-040.

Hopefully everybody followed the advice I gave a few days ago. I just saw the first bot exploiting the remote code execution vulnerabilities patched in last Tuesday's patch set by Microsoft. The bot, known as Mocbot is apparently only able to spread to Windows 2000. (Maybe also to Windows XP SP1 computers) The bot connects to IRC servers at: bbjj.househot.com:18067 and/or ypgw.wallloan.com:18067 ...
Network admins might want to monitor connection attempts to those hosts from within their network. The bot is using the Microsoft Windows Server Service Buffer Overflow MS06-040.