Feeds

Trojan attacks Microsoft's emergency patch vuln

Transforms self into worm

  • alert
  • submit to reddit

The Power of One eBook: Top reasons to choose HP BladeSystem

A day after Microsoft released an emergency patch for a critical flaw that could allow self-replicating attacks, researchers have identified a nasty trojan that attempts to exploit the vulnerability.

Variants of the data-stealing trojan known by names including Gimmiv.A and Spy-Agent.da have morphed over the past few weeks to exploit a major weakness in virtually all versions of the Windows operating system. If successful, the exploit could transform the malware into a virulent worm that allows a single infected machine to contaminate any other vulnerable machine over a local network without requiring any interaction on the part of the end users.

At the moment, the part of the trojan that exploits the weakness in the Windows server service isn't especially reliable, researchers said. It generally succeeds only when code custom-built for a specific version and language of the OS encounters its intended target. But the limited success has prompted security experts to take seriously Microsoft's warning that the vulnerability is wormable.

"This could actually be one of the bigger monsters of the last couple years," Alex Eckelberry, president of security provider Sunbelt Software, said of the flaw. "Researchers are going to be burning the midnight oil over the next couple days to understand what the real issues are."

According to this post from the ThreatExpert Blog, Gimmiv.A rifles through a victim's Windows machine for system information and passwords and then posts them to a remote server.

More recently, it has begun dropping a basesvc.dll file onto infected machines that searches through a local network for unpatched Windows machines. When it finds one it "then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service," the post said.

Craig Schmugar, a threat researcher at McAfee Avert Labs, said there are enough defenses built into more recent Windows versions to contain the threat. Those include firewalls and features such as data execution protection that have been turned on by default ever since Microsoft rolled out Service Pack 2 of Windows XP. Still, he warns that people who have posted exploit code to the Milw0rm website have hinted they may have additional capabilities. (McAfee's Avert Labs, has also blogged about the trojan here.)

The trojan and Milw0rm release aren't the only pieces of code to exploit the weakness. Within a few hours of Microsoft's patch release on Thursday, Kostya Kortchinsky, a researcher at penetration testing firm Immunity, published code that successfully exploits the flaw on Windows 2000 machines. The exploit code, which is used by security professionals to identify vulnerable machines, only works against more recent Windows versions in very limited circumstances. That means it's not wormable, he said.

Even so, there's reason to believe the trojan could be only the beginning. Jose Nazario, a researcher at security provider Arbor Networks, said it has been in circulation for more than two weeks, giving the attackers an advantage on white hats, who only learned about the vulnerability on Thursday. What's more, the crude nature of Grimmev leads him to think the code portions that attack the vulnerability have been stolen from someplace else and "bolted" on to the trojan.

"If that's true, then there's someone using this as a 0day prior to this patch release and all of this attention," Nazario wrote here.

McAfee's Schmugar agrees, saying malware writers are likely taking baby steps toward their goal of perfecting code that reliably exploits the flaw on a widespread scale.

"Even if there are certain stumbling blocks that don't allow for ideal exploitations that the bad guys would want, they will likely keep plugging away to try and refine those exploits, he said. "People should expect that [attacks] will evolve." ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.