MS06-040 shipped on 8 August — the regular Patch Tuesday. The advisory addresses a buffer overflow in the Windows Server Service (srvsvc.dll); successful exploitation gives the attacker SYSTEM-level code execution. Specific bot variants exploiting the vulnerability appeared within days; the cumulative wave is still developing as I write this.
This is a longer operational post because the incident is informative about current patch-to-worm dynamics.
What the vulnerability is
The technical mechanism: a buffer overflow in srvsvc.dll, the Windows Server Service. The vulnerable function processes specific RPC requests; a specifically-crafted request triggers the overflow.
The vulnerability is exposed on TCP port 139 and TCP port 445 (the standard SMB ports). Specific exploitation requires no authentication on Windows 2000; on Windows XP and Server 2003, exploitation requires authenticated access (which limits the unauthenticated attack surface but does not eliminate it).
The affected platforms include essentially all current Windows versions. The vulnerable population is large; the patching response is critical; the structural conditions favour worm-style exploitation.
What has appeared since 8 August
Specific exploitation has emerged rapidly.
Working public exploit code within four days of the advisory. Multiple researchers published proof-of-concept exploits; specific operational exploits followed quickly.
Specific bot variants exploiting MS06-040 within roughly a week. The variants — sometimes called Mocbot, sometimes called Wargbot, sometimes by other names — combine the Mytob-class bot architecture with MS06-040 exploitation.
Active scanning for vulnerable hosts on TCP 445. The scan volume against my honeypot range has spiked substantially over the past week; the patterns match the Mocbot scanner signatures.
Specific compromised population growing. Operators with unpatched Windows 2000 hosts are particularly affected. The cumulative population of compromised hosts is growing; specific cleanup work is increasing across affected operators.
The pattern is familiar from previous post-patch worm waves. The window between advisory and operational worm exploitation continues to shrink; the specific MS06-040 case has been faster than the average.
What this teaches operationally
Three observations.
The patch-to-worm gap continues to shrink. Sasser appeared 18 days after MS04-011 in 2004. Mocbot appeared roughly 5 days after MS06-040. The trajectory continues; future advisories will produce faster operational exploitation.
Specific operators on monthly patch cycles are exposed. The window between Patch Tuesday and the next Patch Tuesday is now larger than the patch-to-worm gap for some advisories. Operators on monthly cycles are guaranteed exposure during specific advisory months; the operational discipline needs to be faster than monthly.
The compromised-host substrate continues to grow. Each new worm contributes to the cumulative population. The MS06-040 wave is adding to the substrate that will support subsequent commercial-cybercrime operations.
What operators should do
For organisations running Windows infrastructure:
Apply MS06-040 immediately if not already. The vulnerability is severe; the exploitation is active; the exposure window matters. Operators who have applied the patch are bounded in exposure.
Audit for compromised hosts. Specific signatures for Mocbot variants are widely available. Specific monitoring for outbound IRC connections is operationally meaningful; specific compromised hosts will be visible.
Block port 445 at network perimeters. No legitimate service should be exposed on this port across an internet boundary. Specific network filtering bounds the exposure for unpatched hosts.
Internal segmentation matters. Lateral spread is a substantial component of the operational impact. Operators with internal segmentation produce bounded internal compromise; operators without are more exposed.
For organisations running Windows 2000 specifically:
The migration discussion is now urgent. Windows 2000 is a structural risk; the Zotob experience from last year demonstrated the exposure. MS06-040 reinforces the trajectory. Migration to Windows XP or Server 2003 is overdue.
The patch is non-optional. Even if migration is planned, the current Windows 2000 hosts must be patched. Specific operators have surfaced unpatched Windows 2000 hosts during the cleanup; the structural discipline of patching even legacy platforms matters.
What I am observing at Gala Coral
The general patterns visible from inside a major operator (with appropriate confidentiality):
The patching discipline held. Specific Windows infrastructure was patched within days of the advisory. The cumulative exposure during the active-exploitation window was bounded.
Specific scan activity has been substantial. Inbound scanning for TCP 445 has spiked; the patterns match the Mocbot reconnaissance signatures. The cumulative volume is bounded by network filtering.
No internal compromise to date. The combination of fast patching, network filtering, and internal segmentation has produced bounded operational impact during this incident.
The cumulative observation: mature operational discipline produces bounded incident impact. The investment in defensive maturity continues to pay back.
What I am paying attention to
Three things over the next month.
Cumulative impact across the operator population. Specific organisations will surface incidents; the cumulative cost will become visible. Specific Windows 2000 estates will be more affected than current Windows estates.
Specific further variants of Mocbot and successors. 85% probability. The category is established; further variants are predictable.
Specific commercial-cybercrime use of the compromised population. 80% probability. The cumulative compromised hosts will be monetised through the standard channels — spam relay, DDoS, credential harvesting.
What this teaches about the broader trajectory
The MS06-040 wave is the latest data point in a multi-year pattern. Microsoft Patch Tuesday produces an advisory; specific exploit code emerges within days; specific worms exploit within roughly a week; cumulative compromise across unpatched hosts grows for weeks.
The cumulative defensive infrastructure has matured to the point where mature operators absorb the wave with bounded impact. Less mature operators continue to be hit harder. The defensive maturity gap continues to widen.
For my own writing: continued tracking of the patch-to-worm dynamics. The cumulative archive of post-patch worm incidents informs structural understanding of the broader trajectory.
More as the wave develops.