They're Baaack! Hackers Renew Windows 'MS06-040' Attacks

Two security companies say they have detected a significant increase in activity on one of two ports that an exploit against the MS06-040 vulnerability would use in an attack.
Symantec also said that it had received reports of a worm in the wild that was using the MS06-040 vulnerability to attack PCs running Windows NT 4.0. An initial report posted to the Full Disclosure security mailing list was "extremely vague," said Symantec, which has been unable to reach the researcher who reported the worm, and so has no sample code to examine. Other researchers writing to the Full-Disclosure noted that the malicious code also successfully attacks Windows 2000 systems.

The new Spybot and the attack against Windows NT machines seem to be separate, Symantec said. It has deployed honey pot systems in the hopes of collecting a sample of the new NT worm.

Windows NT users are particularly vulnerable to attack, Cole added, since the aged operating system has been dropped from Microsoft's support list; the Redmond, Wash. developer stopped issuing security fixes for NT on the last day of 2004.

"There's been a lot of activity exploiting the MS06-040 vulnerability," said Cole. "Randex, Stration, a number of threats. Once an exploit is released, everyone scrambles to include it."

By Symantec's tally, six known bots are leveraging the MS06-040 exploit. That was enough for the Cupertino, Calif. security company to push its ThreatCon security status ranking from "1" to "2" on Thursday.

"It's a cumulative thing," said Cole, acknowledging that no single exploit caused the company to up its alert level. "The increase in infection angles and the activity on port 139 and 445 shows it's a problem across the board."

Both Symantec and the ISC urged users to patch their systems with the fix issued with MS06-040. If patching isn't possible -- or one is simply not available, as is the case for Windows NT users -- users should filter or block TCP ports 139 and 445, the pair advised.