Worms targeting MS08-067 on Microsoft Windows
| Reference: |
CERT-IST/DG-2008.010 |
| Version: |
1.0 |
| Version date: |
06 November 2008 |
 |
Vulnerability Classification
| Risk: |
 |
very-high |
|
| Impact: |
Take control |
| Confidence: |
Vendor-acknowledged |
|
System Information
| Affected Platform(s): |
- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP1 and Windows Server 2003 SP2
- Windows Server 2003 SP1 (Itanium) and Windows Server 2003 SP2 (Itanium)
- Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP2
- Windows Vista and Windows Vista SP1
- Windows Vista X64 Edition and Windows Vista X64 Edition SP1
|
| Impacted products |
Description
| Problem description: |
|
As already mentioned on the 04-Nov-08 in the Cert-IST "Crisis Hub" which covers the CERT-IST/AV-2008.461 vulnerability (Microsoft bulletin MS08_067), there is now several worms that use that vulnerability to infect vulnerable Windows systems:
- the KerBot worm
- the Wecorl worm
According to available reports, the spreading of these worms is however very slow. This might be because:
- either the spreading algorithm used by these worms is weak,
- or the fact that the targeted network ports are often blocked at network borders.
Anyway, it is urgent, if not already done, to deploy the patches Microsoft released for this vulnerability. A worrying scenario is the case where a mobile laptop gets infected outside of the company. It might later spread the infection inside the company when it is connected to the company's internal network. |
|
| Technical information: |
|
KerBot worm
A description of that worm is given in the CERT-IST/AV-2008.467 advisory.
Note: "Kerbot" (or "Kernelbot") is often used to designate that worm but it was originally the name of the payload installed by the worm on the infected systems.
Wecorl worm
According to Symantec, this worm tries to infect all the systems found on the local network. It tries to connect to the following web sites (blanks have been added to break URLs):
- [http://]robot. 10wrj. com
- [http://]ls. cc86. info/mimi[...]
- [http://]ls. lenovowireless. net/mimi[...]
- [http://]ls. playswomen. com/mimi[...]
- [http://]www. gsinvest. gov. cn/managenews/VoteMo[...]
- [http://]ce. 10Wrj. com/10wrjcenew.exe (worm code download)
Other known malwares
Other malwares also use the MS08-067 vulnerability to attack targeted systems:
- "Gimmiv" Trojan (see CERT-IST/AV-2008.461 advisory).
- "Clort" Trojan. That trojan has been identified by Microsoft. It could be a variant of "Gimmiv" (Gimmiv-B).
- An ISC SANS report indicates that mwcollect.org web site has discover that the host with IP 61.218.147.66 is scanning the Internet and tries to infect vulnerable systems.
|
|
Solution
01 - Apply the solutions described in the CERT-IST/AV-2008.460 advisory
The CERT-IST/AV-2008.460 advisory indicates the available patches to fix the MS08-067 vulnerability in Microsoft Windows. It also gives workarounds as well as tools and signatures available to detect attack attempts. |
|
Standard vulnerability IDs
Additional Resources
- Cert-IST security advisory CERT-IST/AV-2008.460 dated October 23, 2008
- Cert-IST security advisory CERT-IST/AV-2008.461 (Gimmiv) dated October 27, 2008
- Cert-IST security advisory CERT-IST/AV-2008.467 (Kerbot) dated November 5, 2008
- Microsoft MSRC Blog dated November 5, 2008
- Symantec description for Wecorl worm dated November 2, 2008
|
|
History
|
|
|
|
|
|
|
|
|
|
Version |
|
|
|
Comment |
|
|
|
Date |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.0 |
|
|
|
Potential danger creation |
|
|
|
06 November 2008 |
|
|
|
|
|
|
|
|
|
|
|
|
|
