Feeds

Trojan attacks Microsoft's emergency patch vuln

Transforms self into worm

  • alert
  • submit to reddit

Reducing security risks from open source software

A day after Microsoft released an emergency patch for a critical flaw that could allow self-replicating attacks, researchers have identified a nasty trojan that attempts to exploit the vulnerability.

Variants of the data-stealing trojan known by names including Gimmiv.A and Spy-Agent.da have morphed over the past few weeks to exploit a major weakness in virtually all versions of the Windows operating system. If successful, the exploit could transform the malware into a virulent worm that allows a single infected machine to contaminate any other vulnerable machine over a local network without requiring any interaction on the part of the end users.

At the moment, the part of the trojan that exploits the weakness in the Windows server service isn't especially reliable, researchers said. It generally succeeds only when code custom-built for a specific version and language of the OS encounters its intended target. But the limited success has prompted security experts to take seriously Microsoft's warning that the vulnerability is wormable.

"This could actually be one of the bigger monsters of the last couple years," Alex Eckelberry, president of security provider Sunbelt Software, said of the flaw. "Researchers are going to be burning the midnight oil over the next couple days to understand what the real issues are."

According to this post from the ThreatExpert Blog, Gimmiv.A rifles through a victim's Windows machine for system information and passwords and then posts them to a remote server.

More recently, it has begun dropping a basesvc.dll file onto infected machines that searches through a local network for unpatched Windows machines. When it finds one it "then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service," the post said.

Craig Schmugar, a threat researcher at McAfee Avert Labs, said there are enough defenses built into more recent Windows versions to contain the threat. Those include firewalls and features such as data execution protection that have been turned on by default ever since Microsoft rolled out Service Pack 2 of Windows XP. Still, he warns that people who have posted exploit code to the Milw0rm website have hinted they may have additional capabilities. (McAfee's Avert Labs, has also blogged about the trojan here.)

The trojan and Milw0rm release aren't the only pieces of code to exploit the weakness. Within a few hours of Microsoft's patch release on Thursday, Kostya Kortchinsky, a researcher at penetration testing firm Immunity, published code that successfully exploits the flaw on Windows 2000 machines. The exploit code, which is used by security professionals to identify vulnerable machines, only works against more recent Windows versions in very limited circumstances. That means it's not wormable, he said.

Even so, there's reason to believe the trojan could be only the beginning. Jose Nazario, a researcher at security provider Arbor Networks, said it has been in circulation for more than two weeks, giving the attackers an advantage on white hats, who only learned about the vulnerability on Thursday. What's more, the crude nature of Grimmev leads him to think the code portions that attack the vulnerability have been stolen from someplace else and "bolted" on to the trojan.

"If that's true, then there's someone using this as a 0day prior to this patch release and all of this attention," Nazario wrote here.

McAfee's Schmugar agrees, saying malware writers are likely taking baby steps toward their goal of perfecting code that reliably exploits the flaw on a widespread scale.

"Even if there are certain stumbling blocks that don't allow for ideal exploitations that the bad guys would want, they will likely keep plugging away to try and refine those exploits, he said. "People should expect that [attacks] will evolve." ®

Mobile application security vulnerability report

More from The Register

next story
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Microsoft: You NEED bad passwords and should re-use them a lot
Dirty QWERTY a perfect P@ssword1 for garbage websites
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
NUDE SNAPS AGENCY: NSA bods love 'showing off your saucy selfies'
Swapping other people's sexts is a fringe benefit, says Snowden
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
Crooks fling banking Trojan at Japanese smut site fans
Wait - they're doing online banking with an unpatched Windows PC?
NIST told to grow a pair and kick NSA to the curb
Lrn2crypto, oversight panel tells US govt's algorithm bods
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.