Tuesday, November 4, 2008

Worm Exploiting MS08-067 in the Wild

Several reports indicate a worm is propagating in the wild, the worm is based on the MS08-67 patch releases on October 23rd. The origin of the worm is believed to be China.
The detected worm will start scanning the local subnet for port 139, once the victim machine is infected the malware will then try to download additional code, one of the additional codes spotted is an old DDOS malware as part of a DDOS botnet. The trojan will then block access to most Antivirus sites.

The worm doesn't appear to be very widespread, although that could change.


Exploits Available from :
Core Technology
Metasploit
https://metasploit.com/ms08_067_netapi.rb
Immunity
https://www.immunityinc.com/downloads/immpartners/ms08_067.tgz
https://www.immunityinc.com/downloads/immpartners/ms08_067-2.tgz
Security focus
http://www.securityfocus.com/data/vulnerabilities/exploits/31874.zip

References:
http://garwarner.blogspot.com/2008/11/ms08-067-new-rpc-worm-from-china.html
http://www.symantec.com/security_response/writeup.jsp?docid=2008-110306-2212-99&tabid=2
http://asert.arbornetworks.com/2008/11/ms08-067-used-to-drop-ddos-bots/
http://www.snort.org/vrt/docs/white_papers/ms08-067wp.pdf
http://blogs.technet.com/swi/




No comments: