eEye Digital Security » News

News

eEye Digital Security Warns Against Spreading Botnets

Security leader releases free tool based on award-winning Retina Scanner; Blink Endpoint Security also proactively protects users without the need for a software patch

(ALISO VIEJO, CA) August 14, 2006 — eEye Digital Security®, a leading developer of network security and vulnerability management software solutions, as well as the industry’s foremost contributor to security research and education, today announced that it is offering multiple forms of protection for enterprises to immediately address various attacks circulating via a flaw in Microsoft’s (NASDAQ: MSFT) Server Service that was patched last Tuesday in Microsoft bulletin MS06-040. Specifically, eEye confirmed that Blink®, its award-winning endpoint intrusion prevention solution, provides proactive protection against these attacks. In addition, eEye has released a free scanning tool for those organizations unable to deploy Blink or patch their systems quickly. The Retina-based tool can scan up to 256 systems at once to check specifically for vulnerabilities that leverage MS06-040 as an attack vector. Already downloaded more than 23,000 times, the tool is available online at: eEye Tool

“When Microsoft released its 12 patches last Tuesday, it was clear that this flaw was the most critical vulnerability,” said Marc Maiffret, eEye’s co-founder and chief hacking officer. “Once we identified this piece of malware, our research team knew that signature-based security technologies would be unable to detect it, which has been a common denominator for the vast majority of the new malware that our security team has seen. For IT to effectively protect their networks against this type of threat, they either have to incorporate some type of non-signature-based endpoint protection or be prepared to drop everything on Patch Tuesday to patch their critical systems.”

eEye already proactively protects its customers from the exploitation of this vulnerability with Blink, allowing IT departments to deploy software patches according to regularly scheduled maintenance cycles. Blink does not require shutting down services or applications as a means of protection, thus allowing businesses to continue to function normally. The result is 100 percent protection, with zero downtime or impact to operations. In addition, current customers using the Retina Network Security Scanner are already able to scan their systems for this critical vulnerability.

“This illustrates, yet again, the reactive nature of anti-virus and other signature-based security technologies, as well as the need for proactive protection that prevents the root of the problem—the vulnerability—rather than the aftereffect of the problem—the malware—from compromising enterprises’ networks,” continued Maiffret.

The malware is using the Server Service flaw that was patched last Tuesday in Microsoft bulletin MS06-040, which fixes a flaw in an unchecked buffer in the Server Service and allows for anonymous exploitation remotely. Although exploits were circulating and being used in targeted attacks within hours of the release of Microsoft’s patches, there had not been any sort of mass-propagated attacks until one surfaced over the weekend.

On Saturday, eEye’s research team confirmed the existence of a new piece of malware that is automatically infecting systems using the MS06-040 vulnerability as its attack vector to deliver a botnet payload. A botnet is a piece of malware that is typically installed—using exploits or viruses—on many systems in order to allow thousands of systems to be controlled to perform attacks, including Distributed Denial of Service (DDoS) attacks. This particular botnet malware connects to IRC chat servers and allows for attackers to control infected systems via commands passed on IRC chat. In addition, the malware allows its controller to execute programs, update the BOT software, and exploit other machines. The malware will also attempt to disable Windows firewall and the Windows XP SP2 security alert that triggers when the system’s antivirus software is disabled. At this time there are currently two separate variants of this malware, using the file names “wgareg.exe” and “wgavm.exe”.

On Saturday, Microsoft released a separate hotfix related to the MS06-040 patch that needs to be installed on Windows 2003 SP1 systems, creating another patching event for IT security departments.

“This means that if users were able to scramble to patch systems for MS06-040 last week, they now have to go install a second patch that fixes a bug in the first one,” Maiffret added. “Proactive protection can spare companies from spending valuable IT resources to take the servers offline yet again. Blink users are able patch their systems when it makes sense for their business and avoid a serious impact to productivity.”

Users of anti-virus solutions should make sure that they have the latest signature files. As a final precaution, eEye recommends filtering TCP ports 139 and 445 at the corporate gateway and instructing users to not open any unexpected email attachments.

Over the last five years, industry experts have recognized eEye as the preeminent organization in the discovery of the most critical vulnerabilities in various platforms and applications, including the vulnerabilities subsequently leveraged by the Sasser, Witty and Code Red worms, as well as the Microsoft ASN vulnerability and hundreds of other important discoveries. This expertise gives eEye a distinct advantage in designing services and software solutions for the assessment, remediation and prevention of vulnerabilities and the attacks that leverage them.

About Blink® Endpoint Intrusion Prevention
Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows organizations to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by “panic” patching. Additionally, Blink eliminates the problem of so-called “socially engineered” security threats in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks. For those interested in protecting corporate systems with Blink, an evaluation version is available for download on eEye's Website: Blink

eEye's integrated family of vulnerability management solutions helps IT and security professionals confidently safeguard their valuable digital assets. Working in conjunction with popular tools such as firewalls and intrusion detection systems, eEye's product portfolio also includes Retina® Network Security Scanner, REM™ Security Management Console, Iris® Network Traffic Analyzer and SecureIIS™ Web Server Protection.

About eEye Digital Security

eEye Digital Security® is pioneering a new class of security products:integrated threat management. This next-generation of security detects vulnerabilities and threats, prevents intrusions, protects all of an enterprise’s key computing resources, from endpoints to network assets to web sites and web applications, all while providing a centralized point of security management and network visibility.eEye’s research team is consistently the first to identify new threats in the wild, and our products leverage that research to deliver on the goal of making network security as easy to use and reliable as networking itself. Founded in 1998 and headquartered in Orange County, California, eEye Digital Security protects more than 9,000 corporate and government organizations worldwide, including half of the Fortune 100. For more information, please visit www.eeye.com

About eEye Digital Security

Primary Agency Contact

EMEA Agency Contact

Corporate Contact