Current state of MS06-040

Over the weekend we saw the first malware to exploit MS06-040 –

The interesting thing about this malware is that it uses old exploit code. This old exploit code is (normally) only able to infected Windows 2000 hosts. This is the main reason why the number of infections is not that high.

This case is similar to Bozori – you might remember that Bozori also (normally) only infected Win2K machines. It will be interesting to see if this time round there are similar high profile casualties. However, in comparison to MS05-039, which Bozori exploited, MS06-040 is much easier to exploit successfully on a XP based machine.

There’s reason to think that exploit code which could do this has already been created. But at the moment, it’s not widely available. It therefore seems likely that the creators of are relying on exploit code which is already public.

We will only start seeing the real impact of MS06-040 when fully functional, new exploit code, in the form of a backdoor or worm is released into the wild. Let’s hope that doesn’t happen any time soon.

P.S. Don’t forget to reboot the machine after you’ve applied the patch. Until you do, your computer remains vulnerable.

Current state of MS06-040

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox