Worm sparks rise in zombie PCs

Malicious code that exploits a recent Windows hole is leading to growth in the number of hijacked PCs, CipherTrust says.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Malicious code that exploits a recent Windows hole has led to significant growth in the number of hijacked PCs, according to messaging security company CipherTrust.

On Tuesday, CipherTrust reported a 23 percent growth in the total number of so-called zombie PCs it has detected. The jump is due to the spread of Mocbot worm variants, CipherTrust said. Mocbot, also known as Cuebot and Graweg, exploits a Windows security flaw for which Microsoft issued a patch with security bulletin MS06-040 on Aug. 8.

"Around Aug. 13, the weekend after Black Tuesday, we started seeing a gradual increase in the average number of new zombies," said Dmitri Alperovitch, a research scientist at CipherTrust in Alpharetta, Ga. "It went up from 214,000 every day in the previous week to 265,000 every day."

Any computer infected by Mocbot will become part of a botnet, a large network of compromised PCs that can be controlled remotely to carry out tasks such as sending spam. In June, Microsoft warned that the threat posed by botnets and zombies was growing fast.

CipherTrust can trace the increase in spam-sending zombies to Mocbot by comparing junk e-mail sent by systems it knows were compromised by the worm to the spam sent by new zombies, Alperovitch said. "They are mostly Rolex spam and porn spam, and they are the same messages that are being sent by these new zombies coming online," he said.

Alperovitch estimated that somewhere between 500,000 and 1 million machines were hijacked by Mocbot. As a result, more junk mail is soiling the Internet, with spam making up 81 percent of all mail volume this week. "I would not say this has been a huge outbreak, but it has been a noticeable change," he said.

Security experts had said that the MS06-040 worm appeared to be limited in its spread and only hitting computers running Windows 2000.

Colin Barker of ZDNet UK reported from London.