MS06-040... Could Be Bad

| 4 Comments

Microsoft released their normal monthly patches today. Unfortunately today's set of patches included one that is anything but normal. MS06-040 looks to be exploitable via network ports 139 and 445. This means that a crafty person could create their own application that connects out to machines listening on port 139/445, send a specifically crafted packet that takes advantage of the Microsoft vulnerability and installs itself on the victim's machine, and then the victim's machine starts scanning and repeating the process. The US CERT is already reporting that there are exploits available in the wild, it could be a very bad night!

This isn't anything new though, this is at least the 4th time Microsoft has allowed this type of vulnerability to exist. The first major one was MS-SQL Slammer. That one was particularly nasty in that it did not have any timing mechanisms to slow down how fast it would spread. Since it was based on UDP, it didn't even bother seeing if the remote machine was up or listening on the vulnerable port, it just sent out UDP packets that were very small and infected millions of machines throughout the world in a matter of hours.

The next major event was Blaster that happened the following summer after SQL Slammer. It took advantage of a DCOM vulnerability and also caused havok throughout the world. Nachi was released close on the heels of Blaster then Welchi came along a little later.

Finally just last year a WinPNP vulnerability was released, it however did not have that large of an impact on the world, perhaps individuals and companies have finally learned to patch quickly when Microsoft tells you to? Hopefully todays vulnerability will be nothing but a minor annoyance as well. If so, then perhaps it is because of lots of people doing the right thing instead of waiting for months and months between patching of their Windows systems.

I really hope I'm wrong and nothing comes of this, this is one time I don't mind being wrong!

4 Comments

Where do they get the weird names for these viruses? Are they made up by the infectors or the infectees?

It varies greatly. Sometimes the writer of the malware will include the name inside of their program. Other times the person who first finds the malware will create the name based on the behavior of the malware. For worms, the creator might include what is called a Command & Control Channel which uses some phrase or word.

Thanks, Jay!

I think this pertains to the issue:

http://www.eweek.com/article2/0,1895,2004893,00.asp