Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft's out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.
Ken Dunham of iSIGHT Partners said his company was looking at three samples of interest.
One is what F-Secure is calling Rootkit.Win32.KernelBot.dg; another is what Symantec calls W32.Wecorl. A third appears to be a weak variant of the Wecorl. "All appear to be related to bots, components for building a botnet, than the Gimmiv Trojan, one of the first to exploit the vulnerability in MS08-067 and was used to steal personal information.
Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what we're seeing today are not worms, but autorooters, which are still a manual process but are nonetheless a major step toward automating the code.
The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the Internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice." Dunham said so far he's seen a back door version of the eMule client application installed along with a few other files. This gives the criminal anonymous access and control to the compromised machine and makes it part of a larger botnet. So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.