MS08-067 exploit in wild (Oct 23, 2008)

Today SonicWALL UTM Research team received samples using the newly patched MS08-067 – Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

• sysmgr.dll

It starts a service as “sysmgr (System Maintenance Service)” and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

• summertime.1gokurimu.com
• doradora.atzend.com
• perlbody.t35.com
• 59.106.145.58

The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

• Creates key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
• Sets value “ServiceDll”=”C:WINDOWSSYSTEM32wbemsysmgr.dll” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
• Sets value “ServiceMain”=”ServiceMainFunc” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
• Creates key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
• Sets value “sysmgr”=”sysmgr” in key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
• Sets value “I”=”” in key “HKLMSystemCurrentControlSetServicessysmgr”.
• Sets value “DisplayName”=”System Maintenance Service” in key “HKLMSystemCurrentControlSetServicessysmgr”.

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.