Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: Out of band patch heads up
-----Original Message-----
From: Hayes, Bill [mailto:Bill.Hayes@xxxxxxx]
Sent: Thursday, October 23, 2008 11:24 PM
To: Patch Management Mailing List
Subject: RE: Out of band patch heads up
Ryan Narraine of "Ryan Narraine's Zero Day Blog," has confirmed that
limited exploit of the MS08-067 RPC request flaw is now occurring.
According to Narraine, "Microsoft said it was aware of "limited,
targeted attacks attempting to exploit the vulnerability" but the
company did not provide any clues about the origin of the attacks or the
target that was hit. There are no signs yet of public proof-of-concept
code."
Remember that reverse engineering the MS08-67 patch will show virus
writers how to exploit the RPC request flaw. Again, I think we have
about 24 hours before a worm appears. Sophos lab is also stating that
SMB and RPC services are vulnerable.
Vanja Svajcer of SophosLabs, UK wrote, "When Microsoft decides to
release an out of band security update only a week after the regular
monthly update you can be sure that we are dealing with a serious
issue."
Svajcer noted that the MS08-067 flaw can be exploited using an
unauthenticated SMB/RPC session. "It is a classic buffer overflow
vulnerability with a potential to cause serious headache to system
administrators if left unpatched," Svajcer wrote.
MS has just released new information indicating that the exploit was
present in Trojan horse attacks. Remember that this exploit CAN be used
to craft Internet worms and the new virus writers may not have the same
objectives as the Trojan horse writers.
Microsoft stated, "We have also have detection for the malware we found
used in attacks exploiting this vulnerability (TrojanSpy:Win32/Gimmiv.A
and TojanSpy:Win32/Gimmiv.A.dll)." This is a password-stealing Trojan
horse that also gathers system information, including the names of
recently opened documents. According to MS, the Gimmiv.A Trojan horse is
being distributed a an executable with the file name 'n2.exe'.
This Trojan then phones home with <remote IP address>/test2.php?abc=<abc
value>?def=<def value>. An outbound HTTP GET string might look like
<remote IP address>/test2.php?abc=1?def=2. As soon as the Trojan
completes uploading system info and passwords, "the Trojan service
stops, then drops and runs a batch script that unregisters the Trojan
service and deletes it," Microsoft stated.
References:
Ryan Narraine's Zero Day Blog - http://blogs.zdnet.com/security/?p=2062
SophosLabs Blog with Vanja Svajcer -
http://www.sophos.com/security/blog/2008/10/1878.html?_log_from=atom
Sophos Advisory -
http://www.sophos.com/support/knowledgebase/article/47804.html
Microsoft Security Response Center -
http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx
TrojanSpy:Win32/Gimmiv.A -
http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin
32%2fGimmiv.A
TojanSpy:Win32/Gimmiv.A.dll -
http://www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin
32%2fGimmiv.A.dll
Bill...
|