Worm duo tries to hijack Windows PCs

Cybercrooks unleash two worms based on a serious Windows flaw, but the attacks don't seem widespread.

Joris Evers
Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
3 min read
Two worms based on a recently disclosed Windows flaw have been unleashed, but the attacks so far don't appear to be widespread, security experts said.

The pair of worms surfaced over the weekend, several security companies said in alerts. The malicious software tries to hijack the computer for use in a network of commandeered PCs that can be remotely controlled, popularly called a botnet. The worms also can communicate via AOL's Instant Messenger and may be able to spread via the service.

"This is run-of-the-mill malicious software," said Don DeBolt, director of the Security Advisor group at CA, formerly known as Computer Associates. "The malware purveyors are simply packaging their old wares with the new exploit."

The worms are derivatives of the original Cuebot family that first surfaced last year, DeBolt said. These variants have been programmed to exploit a serious flaw in a Windows component related to file and printer sharing. Microsoft issued a patch for the security hole last week in security bulletin MS06-040. Security experts had already predicted that the flaw would spawn a worm attack.

Neither of the variants is very widespread, according to Microsoft, which calls them "Graweg."

"This appears to be an extremely targeted attack, very much unlike what we have seen in the past with recent Internet-wide worms," Stephen Toulouse, a program manager in Microsoft's Security Technology Unit, wrote on a corporate blog Saturday.

The MS06-040 worms appear to be limited to computers running Windows 2000. That's because the computer code used to exploit the vulnerability is most effective on computers with that older operating system, DeBolt said.

"Windows XP is appearing to be more difficult to exploit than its sister platform Windows 2000," he said.

Some security experts have said the age of the high-impact, Internet-wide worm is over. Instead, increasingly organized cybercriminals are looking to exploit flaws directed at specific companies for financial gain and want to fly under the radar. Criminals use botnets to relay spam, distribute spyware and launch other online attacks. A widespread worm could affect the performance of the Internet--a disruption that could also disrupt their means of business.

For the new worms to propagate, the attacker must instruct a compromised machine to scan for new targets, DeBolt said. A vulnerable computer can be compromised remotely and without any user interaction, he said.

"We are not seeing a widespread epidemic at this time, but we do see increased activity on TCP port 445," DeBolt said, referring to the network port used by the vulnerable Windows service.

Security experts expect that the computer code that exploits the MS06-040 flaw will be perfected and popular among miscreants looking to take over Windows systems. "We will see a number of different viral and spyware packages that utilize this exploit as it reaches a large audience," DeBolt said.

To protect their computers, Windows users are urged to install Microsoft's patch. All Windows versions are vulnerable, the software maker said. The fix is available via the Windows Update and Automatic Updates tools, as well as for download on Microsoft's Web site. The company has workarounds for people who cannot apply the patches yet, because they need to test it first, for example.