Over the weekend we saw the first malware to exploit MS06-040 – Backdoor.Win32.IRCBot.st.
The interesting thing about this malware is that it uses old exploit code. This old exploit code is (normally) only able to infected Windows 2000 hosts. This is the main reason why the number of infections is not that high.
This case is similar to Bozori – you might remember that Bozori also (normally) only infected Win2K machines. It will be interesting to see if this time round there are similar high profile casualties. However, in comparison to MS05-039, which Bozori exploited, MS06-040 is much easier to exploit successfully on a XP based machine.
There’s reason to think that exploit code which could do this has already been created. But at the moment, it’s not widely available. It therefore seems likely that the creators of IRCBot.st are relying on exploit code which is already public.
We will only start seeing the real impact of MS06-040 when fully functional, new exploit code, in the form of a backdoor or worm is released into the wild. Let’s hope that doesn’t happen any time soon.
P.S. Don’t forget to reboot the machine after you’ve applied the patch. Until you do, your computer remains vulnerable.
Current state of MS06-040