MS08-067 Worm in the wild?
Last Updated: 2008-11-04 14:20:19 UTC
by Joel Esler (Version: 6)
UPDATE 2: After waking up this morning and reading my email, I've noticed that there are at least 2 variants of a worm spreading using the MS08-067 vulnerability. One of the variants spreads through exploit and through at least one P2P Network (Emule).
From what I can see, there is scanning that takes place on port 139 to find other machines, and the exploit takes place over port 445. This is the primary method of spreading. I would suggest, if you haven't already, to block these ports at your outer firewall. That will keep it from getting in via network exploitation, now you just have to worry about things like VPN users, people bringing it in from home on their laptops, etc. All the usual suspects.
Make sure your systems are fully patched, make sure you have the latest virus definitions, make sure your firewalls are secure, make sure your IDSs are updated to detect the threat.
I think these are the first couple worms in a series of worms that we will see, each getting more sophisticated. So, unless something new comes up, I won't update this diary entry anymore.
UPDATE 1: The "Worm" appears to be spreading over local network. Port 445.
Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040. (Since this worm uses one of the milw0rm exploits). 1:7224.
I took a pcap that we received of the worm traffic on port 445 ran it through Snort. The following rules alerted:
[1:7224:8] NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt
[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt
[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt
The first one is the 06-040 rule that I was telling you about above, the send two are shared object rules written for this vulnerability. The rules are available here.
Stay tuned, as I will attempt to keep you updated.
We have received a report of a wild MS08-067 worm.
Reported file size 16,384 bytes:
Kaspersky Lab detect the new wave as
and Microsoft as
Sophos uses name Mal/Generic-A.
Much thanks to Juha-Matti for sending us an email.
-- Joel Esler http://www.joelesler.net