Original URL: http://www.theregister.co.uk/2005/08/16/irc_bot/
IRC bot latches onto Plug-and-Play vuln
Second route to 'root'
Posted in Anti-Virus, 16th August 2005 10:59 GMT
The Microsoft Plug-and-Play vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx) exploited by the ZoTob worm has been harnessed to create an IRC bot. IRCBot-ES (http://www.f-secure.com/v-descs/ircbot_es.shtml) uses the vulnerability to spread instead of more common vectors such as Windows RPC security vulns.
The attack provides evidence that virus writers are swarming around the vulnerability - which was only disclosed last week - thinking up new ways to attack vulnerable systems. Early indications are that IRCBot-ES may be more potent that ZoTob because it's easily capable of spreading around internal networks once an infected machine is plugged into a Lan. Anti-virus firm F-secure reports that one organisation has suffered widespread infection from IRCBot-ES via this mechanism. Meanwhile a further variant (http://www.f-secure.com/v-descs/zotob_c.shtml) of ZoTob has been discovered.
The clear interest from malware authors in the vulnerability underlines the need for Windows users to get patched up sooner rather than later. ®