Mocbot/MS06-040 IRC Bot Analysis

Filed under Vulnerabilities

LURHQ has relased a very good analysis of the MS06-040 IRC Bot which started exploiting vulnerable systems this weekend. You can view the analysis at the LURHQ website. SANS also has a very good article on some steps to take to block or detect this on your network. Note the following:

– Lookout for laptops coming back into your internal network. Telecommuters that VPN in from home then come back to the corporate network could be vulnerable if not patched.

– Outgoing traffic to 18067/TCP,

– Outgoing traffic to port 445/TCP (scans could be internal and external) looking for computers to infect.

– Anti-virus vendors may not be up-to-date with definitions so patching is your best defense right now.

Comments are closed.