To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/malware/0,3800003100,39161721,00.htm

Porn spam spike due to Windows hole - CipherTrust
Zombie ranks swell on back of worm...

By Joris Evers and Colin Barker

Published: Wednesday 23 August 2006

Malicious code that exploits a recent Windows hole has led to significant growth in the number of hijacked PCs, according to messaging security company CipherTrust.

On Tuesday, CipherTrust reported a 23 per cent growth in the total number of so-called zombie PCs it has detected. The jump is due to the spread of Mocbot worm variants, CipherTrust said. Mocbot, also known as Cuebot and Graweg, exploits a Windows security flaw for which Microsoft issued a patch with security bulletin MS06-040 on 8 August.

Dmitri Alperovitch, a research scientist at CipherTrust, said: "Around 13 August, the weekend after Black Tuesday, we started seeing a gradual increase in the average number of new zombies. It went up from 214,000 every day in the previous week to 265,000 every day."

Any computer infected by Mocbot will become part of a botnet, a large network of compromised PCs that can be controlled remotely to carry out tasks such as sending spam. In June, Microsoft warned that the threat posed by botnets and zombies was growing fast.

CipherTrust can trace the increase in spam-sending zombies to Mocbot by comparing junk email sent by systems it knows were compromised by the worm to the spam sent by new zombies, Alperovitch said. "They are mostly Rolex spam and porn spam, and they are the same messages that are being sent by these new zombies coming online," he said.

Alperovitch estimated that somewhere between 500,000 and one million machines were hijacked by Mocbot. As a result, more junk mail is soiling the internet, with spam making up 81 per cent of all mail volume this week. "I would not say this has been a huge outbreak but it has been a noticeable change," he said.

Security experts had said the MS06-040 worm appeared to be limited in its spread and only hitting computers running Windows 2000.

Joris Evers writes for CNET News.com

Colin Barker writes for ZDNet UK