Threat Research & Response Blog
A few weeks ago, Microsoft released an update for a vulnerability in Windows that was considered “wormable” in certain scenarios. Bulletin MS08-067 includes more information. There were limited attacks in the wild at the time of the release and we blogged about it here. We would like to give you a quick update about the attacks we've seen since then.
First, it is quite obvious that people are trying to create effective exploits for this vulnerability. Almost every day, we find new variants exploiting MS08-067. By now, we have collected over 50 distinct exploits of this vulnerability. Some of them are simply compilations of Proof Of Concept code that was released on a variety of web sites. Some others are actual malware that exploit the vulnerability and take some action. Others wrap existing exploit code to enable the targeting of large ranges of IP addresses. We also found some GUI tools to create exploits, however the code they use is similar to the exploit code in other binaries. Our generic signature, Exploit:Win32/MS08067.gen!A, catches the current exploit files. For some of them we added specific signatures. In any case, in spite of the increasing number of files exploiting MS08-067, we’re getting a very small number of customer reports for these attacks. It is therefore possible that some of these files are used for targeted attacks. As before, we continue to strongly recommend installing this security update on all your Windows computers, if you haven’t already done so. Here is a chart with the number of detections by our generic signature sorted by various countries/regions around the world. Figure 1: Detections of the generic signature for MS08-067 exploits broken by countries/regions The first attacks downloaded a bunch of malware which we detect as variants of the Win32/Gimmiv family. We have added the ability to detect and remove this malware to the November release of the MSRT, however in the first three days after this release, we received no reports for this malware. Note that in some cases, this malware deletes itself and in that case a later scan will detect nothing. There is however one file that was detected slightly more frequently in the wild. Its SHA1 is 58C7DD2B5F5A1C4288FFE423F7456857B9935C2C. We detect this one using the name Trojan:Win32/Clort.A.dr. We found that this file uses a variety of names such as MS08067a.exe, ma[<one digit>].exe, or 00001<ten random digits>.exe. All the reports, a few dozen in total, were sent by computers in Japan in early November but we have not received any more reports since. We'll continue to monitor the situation and update our signatures to keep our customers protected.
-- Dan Kurc & Ziv Mador