Security

MS08-067: Not updating has created a monster botnet

Microsoft created MS08-067 to fix a serious vulnerability. MS even felt the problem was critical enough to justify an out-of-band release of the update. They were right; find out why.

Microsoft created MS08-067 to fix a serious vulnerability. MS even felt the problem was critical enough to justify an out-of-band release of the update. They were right; find out why.

-------------------------------------------------------------------------------------------------------------------

MS08-067 is the fix for server service vulnerability CVE-2008-4250:

"A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Microsoft had a real sense of urgency with this patch. The Gimmiv.A trojan, which exploits the server service vulnerability, was already found on servers and desktops in the wild. The ThreatExpert blog "Gimmiv.A exploits critical vulnerability" gives a detailed explanation of the trojan and its capabilities.

The Gimmiv.A trojan was designed to collect system information and passwords from the infected computer, then send the information in an encrypted format to a remote server. Next the remote server sends files back to the compromised computer, which will be used to further propagate the trojan. It appears that the Gimmiv.A author has a sense of humor as the following image (courtesy of ThreatExpert) is among the downloaded files:

homer.png

Just the start

Malware developers have learned a great deal from Gimmiv.A and are using that knowledge to create more sophisticated or sinister (depending on your viewpoint) bot code. With that in mind, I'd like to introduce the newest worm/trojan that effectively exploits this latest Windows vulnerability. It goes by several names: Trend Micro calls it Worm_DownAD.A, Microsoft prefers Worm:Win32/Conficker, and finally Symantec likes Downadup. With your permission, I'd like to use Worm_DownAD.A to avoid confusion. Trend Micro has an in-depth analysis of Worm_DownAD.A, including the following diagram:

worm_downad_a1.gif

Microsoft even pointed out something rather unique about the Worm_DownAD.A in their Malware Protection Center blog "More MS08-067 Exploits":

"It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too."

I tried but wasn't successful in finding out whether the computer was still patched after removing Worm_DownAD.A. Kind of ironic isn't it.

So what's the big deal?

It's just another worm or trojan, why spend so much time discussing it? Well, as you know I've been focusing on botnets lately and guess what? That's right, Worm_DownAD.A is a botnet creator and quite a good one at that. In fact, the author of Worm_DownAD.A will be able to brag about coding a worm that's helping to create one of the more formidable botnets.

As of this writing, analysts are estimating the Worm_DownAD.A botnet to have over half a million members. Sure, that's notable, but what if I told you it took only three weeks to amass that number of bots. Analysts find that pretty incredible. The analysts also find it very worrisome, simply because they feel the Worm_DownAD.A botnet is nowhere near done recruiting new bots. Security experts are also interested in the fact that the Worm_DownAD.A botnet is uniformly spread throughout the world. Normally that's not the case and has them puzzled as to why.

Final thoughts

The botnet examples I gave in my previous article, "Botnets: Keep Computers Up to Date or Else" pale by comparison. The size and rapid growth of the Worm_DownAD.A botnet has two possible explanations: Computers aren't getting updated, or the computers can't be updated because they use pirated copies of Windows OS software. In either case, I'm afraid botnets and associated high levels of spam aren't going away anytime soon, unless we get software updating under control.

Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic's Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

117 comments
bernalillo
bernalillo

pirated software. Well pirated software updates and validaates just fine. Once again it's the lousey programming that screws the pooch. Personally I don't feel a need to load bootleg software but there are plenty who feel they can or they must. Just out of ciriosity, how many patches for xp has MS put out? Is there an end in sight? Will Vista be any different? Or Linux or Apple? We hang the modern age on irredeemably precarious technology.

Fregeus
Fregeus

the name of the process it loads automatically so we can check if we have it loaded? TCB

sar10538
sar10538

Due to all the pirated copies of Windows, we now have these sort of things to make a mess of the Net.

seanferd
seanferd

Nationalism, misdirection, or do they just keep up with patching that well in the Ukraine? This looks like a horrifying botnet, especially for corporate networks.

boxfiddler
boxfiddler

to hang whatever age we inhabit on anything and everything but ourselves.

Michael Kassner
Michael Kassner

Are you saying pirated software from MS updates? Is that with an appropriate key?

ketan
ketan

As with most of the new malware it will be polymorphic and as such different on every machine. One of the things I discovered earlier this year was a piece of spyware loaded in the pagefile.sys. (I had removed a drive and was scanning with a linux box), from that point on I always set the page file to be cleared at shutdown. One of the first things I do is boot from a PE disk and examine the drive - delete and recreate pagefile.sys and hiberfil.sys (yes they hide there too) - check the system32 folder for any new dll files and delete as necessary - check the registry and boot folders for any unnecessary software - check the hosts file. This gives me many benefits - it usually gives me the ability to use clean a machine in less than an hour (not including full AV & AntiSpyware scans), and will actually allow the AV & AS software to function and be updated. Perhaps our friend in S. Africa could use MS SteadyState - could solve a lot of his problems - plus the use of Heise.de's CTUPDATE he can creat update cds and mail them to people who get capped on bandwidth.

Michael Kassner
Michael Kassner

It's a big concern, but as I mentioned the experts are somewhat mystified by the uniform distribution of the infected computers. Most experts believed that pirated OS copies were in certain well-defined areas, that may not be the case. The other possibility is that there are many more computers not being updated than first thought. Either way give the same results though.

Jacky Howe
Jacky Howe

I would like to know what is so special about the Ukraine. I realise that it can find out which country that it is in on an infected PC. But I wonder if the Bots are smart enough to start with or is there something that cripples them when they find out that they are on a Ukrainian PC.

Michael Kassner
Michael Kassner

We are all trying to adjust the the exponential learning curve that is being thrown at us.

seanferd
seanferd

Lots of those floating around on the net, and I'm sure "extras" walk off from various enterprises which will never even notice that they're in use. I believe critical updates are, or were, available regardless of validation status, and can also be downloaded manually with no problem.

Dumphrey
Dumphrey

has back up control IPs waiting just like the Mcolo worm did... Else blacklisting the mentioned IPS (CA article) would effectively halt it on your network.

mamies
mamies

Its amazing on how many pirated computers that you run across. I choose to use linux mainly because it is more flexible and its free and there are no licensing issues that I need to worry about. The problem is people deciding that they dont want to pay for software which is both morally wrong and against the law, which then leads to an influx of computers which are left vulnurable to these attacks. If these computers only infected themselves and not the rest of the world all would be ok in my books. If you "steal" the software you deserved to be bugged, but its a shame that others get bugged in the process.

Michael Kassner
Michael Kassner

I find it interesting that even with all of the vulnerabilities and exploits that are available, it still comes down to a user name and password. I suspect that this will entice the use of multi-factor log on applications such as the use of SecureID or having to enter a number that was sent to you as a SMS message on your cell phone. Personally, I feel this should be in place already.

Michael Jay
Michael Jay

Ukraine thing again, this is almost scary.

seanferd
seanferd

which are not always accurate, so there must be infected Ukrainian systems, and others that have been "erroneously" spared.

Michael Kassner
Michael Kassner

You know the usual ideas related to IP addrs, but as far as I know there hasn't been any confirmation of that being why the Ukraine computers are not affected. As for this hitting corporate networks, I had to think a bit before I realized why. It's because it was an out-of-band update and the IT types avoided it. At least that's my guess. The malware has gone through all sorts of upgrades, making it very sophisticated. Also the experts feel that this is a totally new group of highly experienced botmasters, completely unrelated to those that were working through McColo. So it's going to get interesting.

santeewelding
santeewelding

To "adjust" or cope does no good. Leapfrog it.

Michael Kassner
Michael Kassner

I think we need a definition of pirated as well as local in this thread. It's a neat running commentary and I feel fortunate to have learned a great deal from it.

Michael Kassner
Michael Kassner

I haven't heard of anyone reverse engineering the latest version.I suspect that due to the Srizbi botware having that ability, the experts will be checking for that right away from now on.

Michael Kassner
Michael Kassner

That makes sense. May be they were being nice to the retired person. Student versions are a bunch cheaper, my son gets all sorts of stuff almost half price.

Tearat
Tearat

It will do it automatically Michael There was a bug in windows automatic updates that was fixed by an update in some of the older versions of XP I don?t know if that happen with the pirate versions I have to admit my guilt I use the pirated version for testing Activation is a pain in the ass sometimes even if you have a month But I have licences and disks for Dos 1 + 2 + 3 + 4 + 5 + 6 Win 3.1 + 3.11 95 floppy?s + A + B + C 98 + se + 98 upgrade ME (Used that one so much. HA what a joke) 2000 2 for XP pro 1 for XP home upgrade 1 for Vista home premium The XP home upgrade was from 98 Others use that in the house The XP pro versions are for work and personal use, one for each Some of the people who had pirated versions did not even know until I told them Some were told by WGA and called me Some people still don?t know you need a licence Some of the machines came from dealers or stores without a licence That was fun I usually got the person has left the company answer when I called them on it The funniest was one RETIRED person who after he was told by WGA Went to one of the local stores and was sold the students and teachers version I had to laugh Sorry no simple answer to your question You could ask Microsoft Sorry couldn?t resist that one

Michael Kassner
Michael Kassner

Since the person is using a pirated copy, do you think that person would think it important to update to begin with? I've been trying to figure that out without success.

Tearat
Tearat

I will write this The pirated versions of Windows XP will update themselves If you use one you cannot use the Windows update Website because of WGA Besides there are many other ways to update pirated software I would have to guess at the number of pirated versions of XP I have trashed and replaced with legit versions in the last year or two

seanferd
seanferd

That is just a bit interesting.

Michael Kassner
Michael Kassner

Thanks for sharing that. I've never heard that before. Kind of like "Wag the Dog" sort of thing.

HAL 9000
HAL 9000

When the Pirated Software comes directly from M$ themselves. :D The Last Action Pack that I bought was all Pirate according to M$ Activation and when I rang them they wanted to know very much where I bought this from. Seems that M$ is supplying both sides in this fiasco which is really the only way to Have Complete Total Control and that is to work both sides of the fence. Unfortunately for them they got their Deliveries mixed up and all the Pirate Stuff went directly to their Partners. I still get a good laugh out of that one today. :) Col

mamies
mamies

What i mean by this is to say that I and many others pay for software that isnt free. The developers work very hard in creating this software (even tho we say nasty things about it) and it isnt free software. I was using the Linux sentance in their to say that there are alternatives to stealing Microsoft software which will do the equivelent as long as your willing to do a little work to it. I understand that their is a knowledge that is needed to use linux but it is being made rather simple with the likes of ubuntu. Sorry if i sounded rather contradictorily. I just disagree with people disobeying the Licenses of the product and then when something like this is created they cant update to stop it.

boxfiddler
boxfiddler

[i]I choose to use linux mainly because it is more flexible and its free[/i] then [i]The problem is people deciding that they dont want to pay for software which is both morally wrong and against the law[/i] It's ok for you to do, but not anyone else? You, then, are God? etu

Tearat
Tearat

There is plenty on the web about it if I want to look But it goes back to human engineering and the tactics use to get information from people and the security of that information I also do not like the idea of a recorded password That means anywhere including the cell phone or the cell network I would never email a password for the same reasons That includes any part of a password Sorry if I did not make that clear in my response The safest way to handle a password or key is to remember it and never record it in/on anything I like the "What you are" part It is even funnier when you see the speeling mistookes on forums Now am I a huuman or a human "What you have" can be just as funny On rainy days I have an umbrella Sometimes I have a cold Biometrics is the future of security for the who/what you are part What you know will always be the same What you have is eyes, fingerprints, skin, spit and blood The first two will do for most The smart card is also a choice I would like it in my hand not under my skin thanks Cheers Steve

Michael Kassner
Michael Kassner

The number given over the cell phone is just one of usually three factors that are required to be authorized. Multi- Factor authentication can be based on: 1. What you know 2. What you are 3. What you have It requires all three to be correct before authentication is allowed.

Tearat
Tearat

You can lose a cell phone But the message should not be sent to anything that can store it Also what happens if you miss one? Could the extra calls to help desks become a problem? Can we trust the security of cell phones and the networks?

Michael Kassner
Michael Kassner

That's why I qualified that comment. In reality, there could be any number of explanations. I believe that this is the first such example of that type of discrimination.

kirkwolf
kirkwolf

Could also be sponsored by something, person, corporation, state or whatever entity that doesn't like Ukraine and wants them to look like the villain. Stranger things have happened...

Michael Kassner
Michael Kassner

I may be overstepping, but it almost sounds like state sponsored.

Michael Kassner
Michael Kassner

Did you find out any research on that, Sean. I bet you did. I've been looking all over for that information. Please share. I also thought that if it was IP related that there would be some miss hits, unless they control their IP addrs to a greater degree than most. This post is really bringing all sorts of interesting concepts and what I would call cutting-edge information out for discussion. Very cool.

Jacky Howe
Jacky Howe

the trojan then attempts to connect to.

Michael Kassner
Michael Kassner

Yet another thing that I didn't know. Simply amazing you are.

seanferd
seanferd

at least in the original meaning of Wampir, that is to say, malicious ghosts. Sea-salt and garlic are a bit more portable, but I'd find the atmosphere provided by a waterfall a plus. ;)

seanferd
seanferd

Not that the same hosting service may have just "moved" it internally, as so often occurs. edit: the t35.com site, that is.

Michael Kassner
Michael Kassner

OK, I need a further explanation on that, Sean. Sounds great though. I go to some corporate headquarters that have 2-3 story waterfalls and they are cool.

seanferd
seanferd

I'm gonna get me a big indoor decorative waterfall and place my system on an island in the middle.

Michael Kassner
Michael Kassner

Is the IP addr that of the subverted computer or that of a remote computer the infected computer was trying to communicate with? Sorry, I'm a bit slow today.

Jacky Howe
Jacky Howe

there were no responses to the posters question and I didn't notice the date on the post. I don't know how effective it is but I just tried a Visual Trace Route on the IP address 59.106.145.58 that is shown on the AV websites and it ended in Japan. < just to add > I just checked a Symantec Report and indeed it is from Japan. http://safeweb.norton.com/report/show?name=59.106.145.58 I wonder why that site is still up.

santeewelding
santeewelding

When you run out of garlic and have to do with rutabaga. Figures, also, when you slide by my point. Which must not be altogether clear.

Michael Kassner
Michael Kassner

It's an older worm and if I understand correctly not as active now. What did the people on the forum say? Did they ask if the person submitting the log file up had their computer up to date? Especially MS08-067. Did that person try a port scan? The server service vulnerability would be listening on port 445. Sorry for so many questions.

Jacky Howe
Jacky Howe

to know where it originated from. It's a nasty little bugger. I was checking out some other forums and came across a posted HijackThis log and I decided to check it out. I was immediately drawn to the .bat file that was in the users temp folder. I Googled the file name but didn't get any hits. After reading your Article I deduced that it is probably Win32/Gimmiv.A.

Michael Kassner
Michael Kassner

I used the last of it when I made the turkey on Thanksgiving.

santeewelding
santeewelding

Have you futzed with your garland of garlic to hang upon your door?

Editor's Picks