So last week, Microsoft released an out of band patch for a nasty RPC vulnerability. See www.microsoft.com/technet/security/Bulletin/ms08-067.mspx. Within hours, proof of concept code (milw0rm) and even malware (threatexpert.com) was circulating around the net. There was some discussion whether it was a trojan or a worm. Anyway, it's a real threat. The 0x000000 blog has a list of infected machines.
The funny thing is that according to F-secure, first versions of the Gimmiv worm were compiled a month before the ms08-067 patch and this version can be considered as beta versions. More dangerous versions might arise:
As far as we can see, the first versions of Gimmiv were compiled around the 19th of September which is well over a month ago. We also did code comparison between the variants, and mostly, the changes in the variants are because the attackers were changing parameters instead of introducing new features.Talking about a zero day exploit. There is an excellent FAQ covering the exploit and malware at the SecuriTeam blog (mentioned at SANS ISC) but you might also want to check the following resources.
Analysis of the code inside the Gimmiv trojan clearly shows that whomever is behind it is an inexperienced coder. Their code is riddled with bugs in places where the author clearly didn't read his API documentation closely enough. (Source: F-secure)
Arbor Networks has some interesting statistics on network scanning statics for possible worm activity:
Here’s 30 days of activity for TCP ports 139 and 445 from ATLAS; we’re not seeing a huge scanning spike.Arbor also features an analysis of the Gimmiv malware exploiting the RPC bug and references other interesting bits of information.
While highly wormable — on by default, exploit code is now out, etc — it’s not a Sasser-like situation. Thankfully. This is likely to be mitigated by things like the default firewall in XP SP2 and the like. But we are seeing some malcode on that service. (Source Arbornetworks)
Last night, Proof of Concept code was also added to Metasploit. Quote from HDMoore:
added the first real metasploit module for ms08-067, supports XP SP2/SP3 + DEP and Windows 2003 SP0/SP1 without DEP, more targets soon... (Source: Twitter)The Microsoft advisory 958963 has been updated to reflect the new situation:
Microsoft is aware that detailed exploit code demonstrating code execution has been published on the Internet for the vulnerability that is addressed by security update MS08-067. This exploit code demonstrates code execution on Windows 2000, Windows XP, and Windows Server 2003. Microsoft is aware of limited, targeted active attacks that use this exploit code. At this time, there are no self-replicating attacks associated with this vulnerability. Microsoft has activated its Software Security Incident Response Process (SSIRP) and is continuing to investigate this issue.So, patching is still the message if you haven't done so. IDS/IPS might help as an additional detection/prevention measure. SOURCEFIRE has released snort signatures you can use.
(Photo under creative commons from Яick Harris' photostream)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment