The Windows Management Instrumentation service helps end-users retrieve and access details regarding their operating systems. Administrators find it especially useful, particularly within enterprise environments. This is because WMI handles software loaded on computers within a network, utilizing a code language from among many.

For hackers, WMI is a preferred service for attack to enable them to host their malicious software since there is a large database in it.

The miscreants introduce crafty pragma into WMI and make affected computers retrieve confidential data, raise the system privileges of the hackers so that they can peek into the affected PC and the rest within the network, and implant malevolent codes inside target services.

The new attack, which TrendLabs spotted, has a WMI code called TROJ_WMIGHOST.A packaged with a DLL malicious program called BKDR_HTTBOT.EA, when it attacks a system.

Moreover, the malicious WMI code displays two Web-browser windows. One of them lets BKDR_HTTBOT.EA to run through ActiveX content. The other allows a backdoor attach a Word, Excel or PowerPoint Office file to an external website and run other malevolent codes using the Ghost IP. Owning to this backdoor, end-users become endangered with losing confidential as well as vital data.

Nonetheless, the usage of WMI for malevolent activities isn't something new. At the 2008 Kiwicon (New Zealand hacker conference), one Internet security expert presented a proof-of-concept Trojan named 'The Moth,' which deploys malware by using WMI.

The Trojan apparently installs and runs more malware on the infected computer alternatively on removable drives. In the process, it conceals malevolent scripts and again launches a rootkit even when it's spotted and eliminated.

To stay secured, the security specialists stated that Internet users could adopt some simple measures such as deploying and routinely making their AV software up-to-date, installing OS patches along with service packs, and applying a relevant firewall.