Several variants of bots, scanning for hosts left open to a dangerous Widows server service vulnerability patched by the Aug. 8 MS06-040 security bulletin, have been identified. They spread by connecting to internet relay chat (IRC) servers.
But Microsoft experts do not believe a destructive worm-like attack is imminent across all Windows platforms, crediting quick patching by many users with keeping the threat at bay.
"We have been seeing activity related to Graweg (the bot) taper off," Adrian Stone, a Microsoft Security Response Center program manager, said today on a company blog. "From our analysis and our work with our partners...we still believe that this has been a relatively contained issue that has only affected Windows 2000. However, we are in no way underplaying the severity of the vulnerability addressed in MS06-040. We continue to urge customers to deploy and test the update with a heightened sense of urgency."
Stone's comments come four days after vulnerability management firm nCircle, among others, voiced fears the exploit could turn into the largest worm attack in years because it is remotely and anonymously exploitable on all unpatched versions of Windows.
Rob Ayoub, industry analyst for network security at consulting firm Frost & Sullivan, said today that mass propagation is unlikely because many organizations have strong perimeter security at ports 139 and 445, where the vulnerability could have been exploited.
"The majority of corporate enterprises that have any security at all would already be blocking that type of traffic," he said.
Ayoub added that more and more home users are deploying anti-virus and firewall solutions, thereby limiting the number of people that could be affected.
"I know that we haven't seen a very serious worm in a while, so I think there was some hype that this was the worm we've been waiting for," he said. "But we also see at the enterprise level there is much more awareness about security. And we are seeing better uptake by home users of deploying anti-virus and having Microsoft updates enabled."
If the flaw is exploited, Ayoub predicts malicious attackers will engage in targeted attacks through alternate vectors, particularly phishing, email attachments and banner advertisements. Organizations and consumers tend to have more lax security measures in place inside the network, he added.