Network administrators noticed an increase this week in scans for Windows computers vulnerable to the Windows Server service flaw fixed by Microsoft last month.
The scans are due, at least in part, to a variant of the SDBot program--also known as rBot and Randex--that has been modified to use the Microsoft flaw and set to spread automatically. It took less than a week for underground programmers to modify their bot software to take advantage of the latest Windows flaw, described in security bulletin MS06-040.
Network administrators reported the increase in scans to port 139, which is one of the standard addresses used by Microsoft network applications, on mailing lists and to the SANS Institutes's Internet Storm Center. On Thursday, the ISC confirmed that it had received a copy of the bot software from an administrator whose machine had been infected.
Adding worm capabilities to bot software is nothing new. Custom-programmed worms have largely disappeared, replaced by open-ended bot programs to which new functionality--such as compromising computers with the latest flaws--can be added. Such bots, when ordered by a bot herder to spread automatically, are generally still referred to as worms. That's what happened in April 2005 when the bot-turned-worm Zotob spread widely.
Bots have become a serious problem for users and network administrators. A week ago, a federal judge in Seattle sentenced one bot herder to 37 months in prison for creating a network of compromised machines, or bot net, that severely impacted operations at a Seattle area hospital. Prosecutors believed that at its peak, the bot net could control more than 1 million compromised machines.
Posted by: Robert Lemos