Feeds

Trojan attacks Microsoft's emergency patch vuln

Transforms self into worm

  • alert
  • submit to reddit

The essential guide to IT transformation

A day after Microsoft released an emergency patch for a critical flaw that could allow self-replicating attacks, researchers have identified a nasty trojan that attempts to exploit the vulnerability.

Variants of the data-stealing trojan known by names including Gimmiv.A and Spy-Agent.da have morphed over the past few weeks to exploit a major weakness in virtually all versions of the Windows operating system. If successful, the exploit could transform the malware into a virulent worm that allows a single infected machine to contaminate any other vulnerable machine over a local network without requiring any interaction on the part of the end users.

At the moment, the part of the trojan that exploits the weakness in the Windows server service isn't especially reliable, researchers said. It generally succeeds only when code custom-built for a specific version and language of the OS encounters its intended target. But the limited success has prompted security experts to take seriously Microsoft's warning that the vulnerability is wormable.

"This could actually be one of the bigger monsters of the last couple years," Alex Eckelberry, president of security provider Sunbelt Software, said of the flaw. "Researchers are going to be burning the midnight oil over the next couple days to understand what the real issues are."

According to this post from the ThreatExpert Blog, Gimmiv.A rifles through a victim's Windows machine for system information and passwords and then posts them to a remote server.

More recently, it has begun dropping a basesvc.dll file onto infected machines that searches through a local network for unpatched Windows machines. When it finds one it "then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service," the post said.

Craig Schmugar, a threat researcher at McAfee Avert Labs, said there are enough defenses built into more recent Windows versions to contain the threat. Those include firewalls and features such as data execution protection that have been turned on by default ever since Microsoft rolled out Service Pack 2 of Windows XP. Still, he warns that people who have posted exploit code to the Milw0rm website have hinted they may have additional capabilities. (McAfee's Avert Labs, has also blogged about the trojan here.)

The trojan and Milw0rm release aren't the only pieces of code to exploit the weakness. Within a few hours of Microsoft's patch release on Thursday, Kostya Kortchinsky, a researcher at penetration testing firm Immunity, published code that successfully exploits the flaw on Windows 2000 machines. The exploit code, which is used by security professionals to identify vulnerable machines, only works against more recent Windows versions in very limited circumstances. That means it's not wormable, he said.

Even so, there's reason to believe the trojan could be only the beginning. Jose Nazario, a researcher at security provider Arbor Networks, said it has been in circulation for more than two weeks, giving the attackers an advantage on white hats, who only learned about the vulnerability on Thursday. What's more, the crude nature of Grimmev leads him to think the code portions that attack the vulnerability have been stolen from someplace else and "bolted" on to the trojan.

"If that's true, then there's someone using this as a 0day prior to this patch release and all of this attention," Nazario wrote here.

McAfee's Schmugar agrees, saying malware writers are likely taking baby steps toward their goal of perfecting code that reliably exploits the flaw on a widespread scale.

"Even if there are certain stumbling blocks that don't allow for ideal exploitations that the bad guys would want, they will likely keep plugging away to try and refine those exploits, he said. "People should expect that [attacks] will evolve." ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?