Attacks on the WINS service vulnerability in Windows Server have been identified as coming from China, but so far are not widespread, according to the Internet Storm Center.

The ISC, which is run by the SANS Institute, says they have only been able to collect limited information on the attacks, but confirmed that they are coming from IP addresses inside China.
The WINS service vulnerability was revealed last week when Microsoft issued patch MS09-039 as part of its regular Patch Tuesday release cycle

The vulnerability was rated as "critical."

Bojan Zdrnja, who is the current Handler on duty at the ISC, said that the ISC has received "several confirmations that the attacks appear to be real, and targeted against WINS servers that have not been patched with the MS09-039 patch."

He said ISC data shows that there is scanning going on, but so far there is no evidence of a widespread attack.

MS09-039 was issued on 11 August when ISC was reporting roughly zero targets per day in association with Port 42 activity, which is used for WINS replication. By 13 August that number had spiked to around 30,000, and by Aug. 16 the number was 70,000.

The WINS service vulnerability affects Windows NT, 2000 and 2003 servers. The most vulnerable of those platforms is Windows Server 2000 with Service Pack 4 installed. Microsoft says that server version has a high likelihood of being hit with "consistent exploit code." The two other versions, Microsoft said, have the likelihood of seeing "inconsistent exploit code."

WINS is a central mapping of host names to network addresses and lets users find computers on a network.

The MS09-039 patch closes a WINS vulnerability that could allow remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a Windows replications packet sent to TCP Port 42.

Data collected by the ISC shows that over the past few days Internet activity associated with Port 42 has risen dramatically.