The SANS Internet Storm Center and Symantec warned users they are seeing an increase in bots scanning for potential hosts on port 139, one of two ports through which the vulnerability could be exploited. Port 139 is one of the most at-risk ports on the internet as it is responsible for Windows file and printer sharing.
Soon following the Windows server bug's patch on Aug. 8, many security experts predicted a large worm attack could ensue because the flaw is remotely and anonymously executable on all unpatched versions of Windows.
Exploits appeared to die down, but they are back, experts warn.
"…Be aware, they're (worms and exploits) out there," SANS incident handler Joel Esler said today on the group's website. "Most of the worm/code that I have seen have their machines connecting back to a botnet on an (internet relay chat) IRC somewhere. Apparently that's the thing to do for hackers nowadays. Integrate code into worm, attach botnet code and away you go compromising machines."
A Microsoft spokesman said today in an email that the software giant does not foresee a major attack developing.
"I can tell you that Microsoft has been watching diligently since the release of MS06-040 for any increase in malicious activity since the release of that bulletin," the spokesman said. "While we are aware of new attempts to exploit this vulnerability, we are not seeing an increase over the already existing limited attacks attempting to exploit this vulnerability."
Patching the flaw corrects the problem, the spokesman said. In addition, users should keep their anti-virus software updated and ensure their firewall is enabled.