On August 15, Security UPDATE subscribers received the Security Alert "Exploits Attack Windows Server Service," regarding new exploits that install bots onto unprotected systems. You can also find the Alert at the URL below.
http://www.windowsitpro.com/Article/ArticleID/93190/93190.html
The exploits were reported by LURHQ, a provider of threat and vulnerability management services. A few days after its initial report, LURHQ posted a detailed analysis of one of the exploits, which installs a variant of Mocbot. The analysis goes far beyond the typical level of detail you might expect to see from your antivirus or anti-malware vendor, which makes it both interesting and valuable as an educational expose.
LURHQ captured and installed the exploit and set up a small forensics network to investigate the inner workings of the bot and its related botnet. The test network consisted of two systems: One to infect with the bot and one to simulate the Internet in order to gather forensic data. One goal was to discover the command and control center for the botnet. Another goal was to discover logon information for the command and control center so that when the data-collecting system made a manual connection to the center, the connector would appear to be just another bot in the network and not a forensics investigator. . . .
Register
