Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - *MS06-040 exploit in the wild InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

*MS06-040 exploit in the wild

Published: 2006-08-13
Last Updated: 2006-08-13 17:57:47 UTC
by Swa Frantzen (Version: 7)
0 comment(s)
We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in snort for the vulnerability described in MS06-040.

We have multiple independent sources of reports at this time.

It looks like it's building a botnet (as we expected).
Signs defenders should look for:
  • Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)
  • Incoming traffic on 445/TCP but there is a lot of background noise on that port.
  • Snort signatures firing on:
    • BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)  [Bleedingsnort]
    • NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt [Sourcefire VRT]
  • Outgoing traffic to (Command and Control center, multiple IPs, IRC)
  • Outgoing traffic to [we haven't seen those ourselves but do have multiple independent sources confirming it]
  • Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)
Since this is a botnet, these bots might do much more depending on what the controller has in store for them. So unfortunately you basically only have the choice to clean them by wiping the disk if you ever want to trust the machines again.

Please do not ask for samples at this point.
We have shared it with the usual anti-virus vendors already.

Should you find other activity of these bots or differing MD5, we would very much appreciate a copy at the contact page.

We ran the bot through virustotal:
Scan results
 File: wgareg.exe
 Date: 08/13/2006 03:03:43 (CET)
AntiVir       found [HEUR/Crypted.Layered]
Authentium      4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast   4.7.844.0/20060810      found nothing
AVG     386/20060811    found nothing
BitDefender     7.2/20060813    found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal   8.00/20060812   found [(Suspicious) - DNAScan]
ClamAV  devel-20060426/20060813 found nothing
DrWeb    4.33/20060812  found nothing
eTrust-InoculateIT      23.72.94/20060812       found nothing
eTrust-Vet      30.3.3012/20060811      found nothing
Ewido   4.0/20060812    found nothing
Fortinet       found nothing
F-Prot  3.16f/20060811  found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4       found [W32/Threat-HLLIM-based!Maximus]
Ikarus       found nothing
Kaspersky       found nothing
McAfee  4827/20060811   found nothing
Microsoft       1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman  5.90.23/20060811        found [W32/Suspicious_M.gen]
Panda        found [Suspicious file]
Sophos  4.08.0/20060812 found nothing
Symantec        8.0/20060813    found nothing
TheHacker      found nothing
UNA     1.83/20060811   found nothing
VBA32   3.11.0/20060811 found nothing
VirusBuster     4.3.7:9/20060812        found nothing
wgareg.exe messes in the windows registry. One of the things it adds is a description of itself: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.". Right ... It also appears to change settings related to firewalls and sharing.

LURHQ has also a story on the same by Joe Stewart and they also found a variant of the binary with a different MD5 and slightly different behaviour.

Thanks to all involved: William, Jim, Scott, Dan and all those I forgot.

Swa Frantzen -- Section 66
0 comment(s)
Diary Archives