Feeds

Trojan attacks Microsoft's emergency patch vuln

Transforms self into worm

  • alert
  • submit to reddit

Seven Steps to Software Security

A day after Microsoft released an emergency patch for a critical flaw that could allow self-replicating attacks, researchers have identified a nasty trojan that attempts to exploit the vulnerability.

Variants of the data-stealing trojan known by names including Gimmiv.A and Spy-Agent.da have morphed over the past few weeks to exploit a major weakness in virtually all versions of the Windows operating system. If successful, the exploit could transform the malware into a virulent worm that allows a single infected machine to contaminate any other vulnerable machine over a local network without requiring any interaction on the part of the end users.

At the moment, the part of the trojan that exploits the weakness in the Windows server service isn't especially reliable, researchers said. It generally succeeds only when code custom-built for a specific version and language of the OS encounters its intended target. But the limited success has prompted security experts to take seriously Microsoft's warning that the vulnerability is wormable.

"This could actually be one of the bigger monsters of the last couple years," Alex Eckelberry, president of security provider Sunbelt Software, said of the flaw. "Researchers are going to be burning the midnight oil over the next couple days to understand what the real issues are."

According to this post from the ThreatExpert Blog, Gimmiv.A rifles through a victim's Windows machine for system information and passwords and then posts them to a remote server.

More recently, it has begun dropping a basesvc.dll file onto infected machines that searches through a local network for unpatched Windows machines. When it finds one it "then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service," the post said.

Craig Schmugar, a threat researcher at McAfee Avert Labs, said there are enough defenses built into more recent Windows versions to contain the threat. Those include firewalls and features such as data execution protection that have been turned on by default ever since Microsoft rolled out Service Pack 2 of Windows XP. Still, he warns that people who have posted exploit code to the Milw0rm website have hinted they may have additional capabilities. (McAfee's Avert Labs, has also blogged about the trojan here.)

The trojan and Milw0rm release aren't the only pieces of code to exploit the weakness. Within a few hours of Microsoft's patch release on Thursday, Kostya Kortchinsky, a researcher at penetration testing firm Immunity, published code that successfully exploits the flaw on Windows 2000 machines. The exploit code, which is used by security professionals to identify vulnerable machines, only works against more recent Windows versions in very limited circumstances. That means it's not wormable, he said.

Even so, there's reason to believe the trojan could be only the beginning. Jose Nazario, a researcher at security provider Arbor Networks, said it has been in circulation for more than two weeks, giving the attackers an advantage on white hats, who only learned about the vulnerability on Thursday. What's more, the crude nature of Grimmev leads him to think the code portions that attack the vulnerability have been stolen from someplace else and "bolted" on to the trojan.

"If that's true, then there's someone using this as a 0day prior to this patch release and all of this attention," Nazario wrote here.

McAfee's Schmugar agrees, saying malware writers are likely taking baby steps toward their goal of perfecting code that reliably exploits the flaw on a widespread scale.

"Even if there are certain stumbling blocks that don't allow for ideal exploitations that the bad guys would want, they will likely keep plugging away to try and refine those exploits, he said. "People should expect that [attacks] will evolve." ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.