Mocbot/MS06-040 IRC Bot Analysis

Filed under Vulnerabilities

LURHQ has relased a very good analysis of the MS06-040 IRC Bot which started exploiting vulnerable systems this weekend. You can view the analysis at the LURHQ website. SANS also has a very good article on some steps to take to block or detect this on your network. Note the following:

- Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.

- Outgoing traffic to 18067/TCP bniu.househot.com, ypgw.walloan.com.

- Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.

- Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • Digg
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS

Comments are closed.