Microsoft created MS08-067 to fix a serious vulnerability. MS even felt the problem was critical enough to justify an out-of-band release of the update. They were right; find out why.
MS08-067 is the fix for server service vulnerability CVE-2008-4250:
“A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. An attacker who successfully exploited this vulnerability could take complete control of an affected system.”
Microsoft had a real sense of urgency with this patch. The Gimmiv.A trojan, which exploits the server service vulnerability, was already found on servers and desktops in the wild. The ThreatExpert blog “Gimmiv.A exploits critical vulnerability” gives a detailed explanation of the trojan and its capabilities.
The Gimmiv.A trojan was designed to collect system information and passwords from the infected computer, then send the information in an encrypted format to a remote server. Next the remote server sends files back to the compromised computer, which will be used to further propagate the trojan. It appears that the Gimmiv.A author has a sense of humor as the following image (courtesy of ThreatExpert) is among the downloaded files:
Just the start
Malware developers have learned a great deal from Gimmiv.A and are using that knowledge to create more sophisticated or sinister (depending on your viewpoint) bot code. With that in mind, I’d like to introduce the newest worm/trojan that effectively exploits this latest Windows vulnerability. It goes by several names: Trend Micro calls it Worm_DownAD.A, Microsoft prefers Worm:Win32/Conficker, and finally Symantec likes Downadup. With your permission, I’d like to use Worm_DownAD.A to avoid confusion. Trend Micro has an in-depth analysis of Worm_DownAD.A, including the following diagram:
Microsoft even pointed out something rather unique about the Worm_DownAD.A in their Malware Protection Center blog “More MS08-067 Exploits“:
“It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.”
I tried but wasn’t successful in finding out whether the computer was still patched after removing Worm_DownAD.A. Kind of ironic isn’t it.
So what’s the big deal?
It’s just another worm or trojan, why spend so much time discussing it? Well, as you know I’ve been focusing on botnets lately and guess what? That’s right, Worm_DownAD.A is a botnet creator and quite a good one at that. In fact, the author of Worm_DownAD.A will be able to brag about coding a worm that’s helping to create one of the more formidable botnets.
As of this writing, analysts are estimating the Worm_DownAD.A botnet to have over half a million members. Sure, that’s notable, but what if I told you it took only three weeks to amass that number of bots. Analysts find that pretty incredible. The analysts also find it very worrisome, simply because they feel the Worm_DownAD.A botnet is nowhere near done recruiting new bots. Security experts are also interested in the fact that the Worm_DownAD.A botnet is uniformly spread throughout the world. Normally that’s not the case and has them puzzled as to why.
The botnet examples I gave in my previous article, “Botnets: Keep Computers Up to Date or Else” pale by comparison. The size and rapid growth of the Worm_DownAD.A botnet has two possible explanations: Computers aren’t getting updated, or the computers can’t be updated because they use pirated copies of Windows OS software. In either case, I’m afraid botnets and associated high levels of spam aren’t going away anytime soon, unless we get software updating under control.
Need help keeping systems connected and running at high efficiency? Delivered Monday and Wednesday, TechRepublic’s Network Administrator newsletter has the tips and tricks you need to better configure, support, and optimize your network. Automatically sign up today!