Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, 3 November 2008

MS08-067: New RPC Worm from China

Posted on 11:22 by Unknown
Sorry, gentle reader, this blog post is for the Geeks. Bottom line for non-geeks.

MAKE SURE YOU HAVE YOUR WINDOWS SERVERS PATCHED WITH MS08-067.

Non-geeks, quit reading here. Sorry.

We've received word of a new "in the wild" worm based on the MS08-067 "out of cycle" security patch released by Microsoft on October 23rd.

The first report that we received was that ThreatExpert had identified the new worm. Their post was the first place we found an MD5 of the new malware, which was listed as MD5 = AE4251541EBEA00014D3DABC90118279.

We used the article to check VirusTotal to see who was already detecting this one, and got the following results back:

AntiVir - - TR/Expl.MS08-067.G
BitDefender - - Trojan.Downloader.Shelcod.A
F-Secure - - Exploit.Win32.MS08-067.g
GData - - Trojan.Downloader.Shelcod.A
Ikarus - - Virus.Exploit.Win32.MS08.067.g
K7AntiVirus - - Exploit.Win32.MS08-067.g
Kaspersky - - Exploit.Win32.MS08-067.g
Microsoft - - Exploit:Win32/MS08067.gen!A
NOD32 - - Win32/Exploit.MS08-067.B
Prevx1 - - Malicious Software
SecureWeb-Gateway - Trojan.Expl.MS08-067.G
Sophos - - Mal/Generic-A

We know from the ThreatExpert Report that Kaspersky, Microsoft and Sophos were all detecting it BEFORE their report.

Symantec clearly knows about it as well, as Computerworld interviewed their Kevin Haley, who told them Symantec is calling the malware "Wecorl", and that they believe it came out of China. Haley also warns that because infected machines attempt to contact all peers on their subnet via port 139, if a single infected laptop gets into an organization after becoming infected while not behind the corporate firewall, the results could be quite serious.

The Symantec Technical Details are quite thorough, including the names of several websites where the malware attempts to download additional code from. Firewall administrators will want to be on the lookup for traffic to these sites:

* robot.10wrj.com
* ls.cc86.info
* ls.lenovowireless.net
* ls.playswomen.com

The full URLs were not given in the technical article.

When we finally got our hands on the malware, thanks to Packet Ninja's Daniel Uriah Clemens, we were able to conclusively agree with Haley about the Chinese origins. Big hints are revealed in the strings of some of the dropped malware, which includes strings we found on Chinese anti-virus discussion sites, dating back as early as August of this year, discussing code used by a DDOS Botnet. (For example, this page on "HackPro.cn").

In particular, the configuration of the webserver planted on the boxes defaults to Chinese language (Accept-Language: zh-cn), and the list of anti-virus update and forums which should be null routed clearly was built by someone considering Chinese anti-virus tools as the main ones which should be blocked.

This list updates the "hosts" table on the compromised computer, which prevents contact with the various anti-virus sites listed below.
127.0.0.1 www.360Safe.com
127.0.0.1 www.360.cn
127.0.0.1 bbs.360safe.com
127.0.0.1 baike.360.cn
127.0.0.1 kaba.360.cn
127.0.0.1 bbs.360.cn
127.0.0.1 360.cn
127.0.0.1 forum.ikaka.com
127.0.0.1 tool.ikaka.com
127.0.0.1 file.ikaka.com
127.0.0.1 update.ikaka.com
127.0.0.1 bbs.ikaka.com
127.0.0.1 bbs.janmeng.com
127.0.0.1 www.ikaka.com
127.0.0.1 forum.jiangmin.com
127.0.0.1 update.rising.com.cn
127.0.0.1 online.rising.com.cn
127.0.0.1 center.rising.com.cn
127.0.0.1 www.rising.com.cn
127.0.0.1 fw.rising.com.cn
127.0.0.1 csc.rising.com.cn
127.0.0.1 buy.rising.com.cn
127.0.0.1 sos.rising.com.cn
127.0.0.1 download.rising.com.cn
127.0.0.1 help.rising.com.cn
127.0.0.1 go.rising.com.cn
127.0.0.1 up.duba.net
127.0.0.1 bbs.duba.net
127.0.0.1 shadu.baidu.com
127.0.0.1 www.kztechs.com
127.0.0.1 security.symantec.com
127.0.0.1 shadu.duba.net
127.0.0.1 online.jiangmin.com
127.0.0.1 cn.mcafee.com
127.0.0.1 bbs.mcafeefans.com
127.0.0.1 mcafeefans.com
127.0.0.1 www.ahn.com.cn
127.0.0.1 www.kaspersky.com.cn
127.0.0.1 www.kaspersky.com
127.0.0.1 www.pcav.cn
127.0.0.1 www.vrv.com.cn
127.0.0.1 bbs.sucop.com
127.0.0.1 www.sucop.com
127.0.0.1 sucop.com
127.0.0.1 bbs.cpcw.com
127.0.0.1 www.shudoo.com
127.0.0.1 alert.rising.com.cn
127.0.0.1 www.dswlab.com
127.0.0.1 dswlab.com
127.0.0.1 bbs.dswlab.com
127.0.0.1 zhidao.ikaka.com
127.0.0.1 bbs.kafan.cn
127.0.0.1 bbs.kaspersky.com.cn
127.0.0.1 www.trendmicro.com.cn
127.0.0.1 bbs.trendmicro.com.cn
127.0.0.1 cn.trendmicro.com
127.0.0.1 www.kpfans.com
127.0.0.1 kpfans.com
127.0.0.1 www.mcafee.com
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 dnl-cn2.kaspersky-labs.com
127.0.0.1 dnl-cn3.kaspersky-labs.com
127.0.0.1 dnl-cn4.kaspersky-labs.com
127.0.0.1 dnl-cn5.kaspersky-labs.com
127.0.0.1 dnl-cn6.kaspersky-labs.com
127.0.0.1 dnl-cn7.kaspersky-labs.com
127.0.0.1 dnl-cn8.kaspersky-labs.com
127.0.0.1 dnl-cn9.kaspersky-labs.com
127.0.0.1 dnl-cn10.kaspersky-labs.com
127.0.0.1 dnl-cn11.kaspersky-labs.com
127.0.0.1 dnl-cn12.kaspersky-labs.com
127.0.0.1 dnl-cn13.kaspersky-labs.com
127.0.0.1 dnl-cn14.kaspersky-labs.com
127.0.0.1 dnl-cn15.kaspersky-labs.com
(many other Kaspersky sites listed are omitted here).


Knowing that the origins of the virus were probably Chinese, we started looking to our Chinese friends for help understanding the malware.

Here's an October 2, 2008 posting on duba.net that gives samples of the DDOS Configuration Script, and uses the same name for the malware found on the August link above ( vv1dap32.exe ). This is NOT THE WORM, but is rather referring to the DDOS engine which is being loaded by the worm-infected computers.

In that earlier DDOS program, the updated malware was loaded from "ushealthmart.com". That malware is still available (webcc.exe) and still very unlikely to be detected according to Virus Total, who shows only a 6 of 36 detection rate for the earlier worm, which they have seen reported since October 7th.

F-Secure 8.0.14332.0 2008.11.03 Worm:W32/AutoRun.JF
Kaspersky 7.0.0.125 2008.11.03 Worm.Win32.Downloader.wo
NOD32 3579 2008.11.03 Win32/KernelBot.AA
Panda 9.0.0.4 2008.11.03 Suspicious file
Sophos 4.35.0 2008.11.03 Troj/Agent-ICY
Symantec 10 2008.11.03 W32.Kernelbot.A

Some strings found in the current malware may help with identification of an author, or at least an authoring host:

e:\work\supermj\drivers\360antirk\objfre_w2K_x86\i386\360IceBreaker.pdb

d:\Works\KernelBots_Up28\Server\Release\Server.pdb
Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Happy New Year! Here's a Virus! (New Year's Postcard malware)
    I've been busy this week looking at the various defacements (see ComputerWorld , and ABC News ) and other cyber attacks (see yesterday...
  • From Russia, With Love . . . new Postcard spam spies on your PC
    Isn't it nice to have friends who send you postcards? The UAB Spam Data Mine is especially fortunate in that way. Beginning the evenin...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Tempting Photo Attachments Lead to Fake AV
    One of today's largest malicious spam campaigns continued an occasional theme we've been seeing for a few weeks. A subject line, fo...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • Minipost: IPR Center celebrates Cyber Monday
    The National Intellectual Property Rights Center (IPR Center) announced today that in celebration of Cyber Monday, they have Seized 82 Domai...
  • ACH Spammer switches to Shortened URLs
    For many weeks now the spammers behind one particular malware family have been fighting a running battle to keep their malware-hosting domai...
  • Work at Home . . . for a Criminal?
    How do you tell if a "Work at Home" invitation is a scam? Here's a clue: It comes in your email. In today's Blog, I tho...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ►  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ►  January (7)
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ▼  2008 (101)
    • ►  December (7)
    • ▼  November (17)
      • Mumbai Bombings: Coordinated Bombings in India are...
      • Bank of America Demo Account - DO NOT CLICK
      • AsProx: The Phisher King?
      • Igor Klopov sentenced
      • Facebook Users Beware
      • Enlisting YOUR BANK to steal your identity
      • Post McColo Spam - What do we see?
      • Unprecedented Drop in Spam
      • Internet Landfill: McColo Corporation
      • Microsoft Reveals Malware and Spam Trends
      • Election Malware and Obama Pill Ads?
      • Election Malware Targets Sore Losers - McCain Vide...
      • Yesterday's Obama Spammer Now Imitates Colonial Bank
      • Computer Virus masquerades as Obama Acceptance Spe...
      • ICE: Operation Predator - Solving Intertwined Chil...
      • More Merger Malware Wachovia Wells Fargo
      • MS08-067: New RPC Worm from China
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile