MS08-067 Vulnerability : My Random Rundown

Background

The out-of-band patch released by Microsoft a couple of days back addresses a vulnerability caused by the Windows Server service not being able to handle malformed RPC (Remote Procedure Call) requests. The vulnerable component of the Server service is netapi32.dll (Net Win32 API DLL). The out-of-band update addresses the vulnerability by correcting the manner in which the Server service handles RPC requests.

On a computer running Microsoft Windows 2000, Windows XP and Windows Server 2003, an attacker who is able to exploit this hole could take control of a vulnerable system remotely without any authentication (anonymous) to execute arbitrary code. The non-affected versions include, 5.0.2195.7203 for Windows 2000 SP4, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions (see KB958644 for details). This particular vulnerability could be used in the crafting of a wormable exploit. If successfully exploited, an attacker could gain system-level privileges (able install programs or view, change, or delete data; or create new accounts with full user rights) and take complete control of the affected system. The relative attack surface on a Windows Vista or Windows Server 2008 machine is considerably weaker as compared to the earlier mentioned vulnerable versions. On these two versions, the vulnerable code path is only accessible to authenticated users, hence, is not liable to be triggered if the attacker is not authenticated.

Workaround

The security bulletin lists the following workarounds:

-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

However, implementing these may pose adverse effects on certain services (file and print sharing, for example) and applications that are dependent on the Server and Computer Browser services. Blocking TCP ports 139 and 445 at the firewall may also cause applications and services (Net Logon, Group Policy, DFS, to name a few) to not function properly, if at all.

Malware Exploiting the MS08-067 Vulnerability

Here's a list of the reported malware as detected by some of the more popular antivirus programs:

Authentium - W32/Gimmiv.A
CA - Win32/Gimmiv.A 
Dr.Web - DLOADER.PWS.Trojan
F-Secure - Trojan-Spy:W32/Gimmiv.A
McAfee - PWS.y!C91DA1B9 
Microsoft - TrojanSpy:Win32/Gimmiv.A[.dll] 
- exploit: Exploit:Win32/MS08067.gen!A
Panda – Gimmiv.A 
Sophos - Sus/Dropper-A
Symantec - Trojan.Gimmiv.A 
Trend Micro - WORM_GIMMIV.A 

The malware's payload tries to gather the following information:

*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

With a reported "call-home" capability, the malware contacts a remote web server with the information extracted. A more detailed description of this capability is described in the Analysis section for the malware in the Microsoft Malware Protection Center. Note that the malware encrypts the data sent back to the remote web server with AES before dropping a batch file that deletes the malware service and deletes itself from the affected system.

Changes to the File System and Registry

The malware modifies the KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr registry key. It also downloads the files basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe to the System32\wbem folder. These files are deleted after the malware has completed its run and reported back to the remote web server.