Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft's out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.
Ken Dunham of iSIGHT Partners said his company was looking at three samples of interest.
One is what F-Secure is calling Rootkit.Win32.KernelBot.dg; another is what Symantec calls W32.Wecorl. A third appears to be a weak variant of the Wecorl. "All appear to be related to bots, components for building a botnet, than the Gimmiv Trojan, one of the first to exploit the vulnerability in MS08-067 and was used to steal personal information.
Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what we're seeing today are not worms, but autorooters, which are still a manual process but are nonetheless a major step toward automating the code.
The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the Internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice." Dunham said so far he's seen a back door version of the eMule client application installed along with a few other files. This gives the criminal anonymous access and control to the compromised machine and makes it part of a larger botnet. So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.
While Microsoft has labeled Thursday's emergency patch MS08-067 as "critical" and provided a rareout-of-cycle fix because its exploit could easily be used as worm on a compromised network, one security researcher doesn't think it will happen that way.
"It's likely we're going to see this packaged with some other attack." said Ben Greenbaum, senior research manager at Symantec. "A Web-based attack, for example. We're looking out for are exploits of this being bundled with client-side exploits or Trojans so that the worm can get past corporate firewalls and get behind that firewall into the internal network."
Comparisons have been made to Zotob, an RPC worm that spread like wildfire in 2005. Remote Procedure Calls (RPC) allows programmers to run code either locally or remotely; a flaw within them is ideal for creating a worm.
"The potential is certainly there," Greenbaum said, adding that modern day attackers are "looking to create as much revenue for themselves as possible, and part of that equation means avoiding detection. What we're likely to see is that this will be added to a wide variety of attack tool kits already available."
"It's possible--but it's not likely--that we'll end up seeing a purpose-built worm that only exploits this one vulnerability," he said.
Since the patch came out Thursday morning, Symantec has seen increased scanning on ports 139 and 445, ports that exploits of MS08-067 would use.
There are some mitigating factors. Most firewalls, with default settings in place, should not allow an exploit of this penetrate that firewall, he said. However, home networks with File and Printer Sharing could fall victim to a bundled attack using this exploit.
The greatest danger is to systems running Windows XP and Windows 2000; Microsoft has ranked the patch as critical for these systems. On Windows Vista, Windows Server 2008, or Windows 7 pre-Beta, if the firewall is disabled, and File and Printer sharing enabled, an anonymous user could use this exploit to connect but would do so only at the lowest possible integrity setting, which would prevent successful exploitation, Greenbaum said. Microsoft has rated the patch only as important for those operating systems.
- prev
- 1
- next
