So the Gimmiv worm (although more of a Trojan then a worm due to it's weak propagation methods) mentioned just after the MS08-67 patch release wasn't a big deal. But misery loves company so let's view the competition:
The F-secure blog is confirming the circulation of this worm with an interesting mention:First we received reports of a new malware targeting users of Chinese versions of Windows 2000. The malware that we detect as W32.Wecorl was first picked up by our honeypots that are based in China.
The second of the new arrivals is W32.Kernelbot.A. This is a worm with bot functionality. We managed to retrieve the configuration file for this botnet (cmd.txt) and it currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites.
Fortunately at this stage, these worms have implemented the exploit as an external module file that has to be downloaded first. Blocking the following addresses may help to prevent their propagation:• 10Wrj.com
• zz.ushealthmart.com(Source: Symantec.com)
The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. (Source: F-secure)I wonder if it's got anything to do with the reference "freedom to attack" from this Wired article of today?
When looking back at this last week, I wonder if our efforts to educate users and Microsoft’s push for regular Windows automated updates and usage of personal firewalls has payed off. Or maybe we just got a break (for now)? But our prediction that nastier worms were coming, came true. The previous mentioned snort rules do detect the exploit used in the worm.
Related posts:
- MS08-067 a few days later. A summary of resources.(updated)
- Microsoft out of band Critical patch and webcast (updated x2)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment