MS08-067 – follow up and video

It is unusually quiet on the MS08-067 front, despite a number of stable and public exploits freely available.

As expected, experienced security researchers like Alexander Sotirov published a very good analysis of the vulnerability. So far we have seen a simple worm we generically detect as Mal/Generic-A and several samples of Troj/Gimmiv-A. Both worms exploit the vulnerability to spread, though they do not use it in the same way as worms like Blaster or Sasser, at the beginning of the decade.

The worms rely on a small set of hard-coded IP addresses to download additional modules or a copy of itself. From my somewhat limited analysis of the Troj/Gimmiv-A replication module it seems like the code responsible for local network propagation also exists and has a hard-coded IP address to retrieve a file using HTTP from a server on network. It is quite possible that the self-replicating code was in the early stage of development when the malware was discovered in the wild. Once the servers were taken down the activity has decreased.

I have also seen some packet captures which show that a piece of code used HTTP to upload netapi32.dll, the vulnerable Windows library to another system as a part of possible reconnaissance and that is all for now.

It seems that the concentrated effort of the security industry to educate end users and Microsoft’s push for regular Windows automated updates and usage of personal firewalls has payed off. However, this may have moved the the battle with malware writers to the area of web protection and it will likely stay there in the foreseeable future.

Going back to the time line of exploits available for MS08-067, the first publicly available exploit was seen on Milw0rm website 3 days after the disclosure, followed by Core Impact penetration testing suite and Metasploit, which provided me with a nice opportunity to look at the structure of the exploit code and write proactive detection for files attempting to exploit MS08-067. Furthermore, Metasploit allowed me to test the detection of the exploit modules using Sophos buffer overflow protection system built in our desktop product.

While I was testing it, Graham and Carole came by and decided we should do a little video: