The saga of the MS08-67 security flaw that affects Windows XP, Vista, Windows 2000, Server 2003 and Server 2008 continues. First there was the out-of-date patch released by Microsoft late October, which caught everyone’s eye because Microsoft rarely breaks the update cycle it has in place, unless the problem is big, it affects a fundamental part of the Windows OS, and is exploitable. After the patch was released, a round of explanations ensued, since everyone was intrigued and wanted to find out more about the flaw. The next chapter in this saga was releasing an exploit in the wild such as the Milw0rm and Metasploit ones.
Just as the security experts were expecting, a worm that takes advantage of unpatched, vulnerable Windows-based systems has been detected in the wild. A notice caught my eye the other day - it seems that F-Secure, company that specializes in providing antivirus software solutions and internet security, has detected a worm loose on the net that it is capable of exploiting the MS08-67 vulnerability.
“The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.” says F-Secure.
Symantec, company best known for its Norton Internet Security and Norton 360 security software, also detected a worm that exploits MS08-67 and has called it “Wecorl”. Once the worm infects a system it attempts to download software to that machine (which is most likely malware) and then tries to connect with other machines on the local subnet.
The worm affects only Windows 2000, XP, and Server 2003 – for these operating systems the MS08-67 flaw was deemed critical. Windows Vista and Server 2008, for whom the flaw is only “important”, are currently safe from the worm menace, but who is to say if that will remain so. The best course of action is to patch your Windows OS and update your antivirus software.
Just as the security experts were expecting, a worm that takes advantage of unpatched, vulnerable Windows-based systems has been detected in the wild. A notice caught my eye the other day - it seems that F-Secure, company that specializes in providing antivirus software solutions and internet security, has detected a worm loose on the net that it is capable of exploiting the MS08-67 vulnerability.
“The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration. The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.” says F-Secure.
Symantec, company best known for its Norton Internet Security and Norton 360 security software, also detected a worm that exploits MS08-67 and has called it “Wecorl”. Once the worm infects a system it attempts to download software to that machine (which is most likely malware) and then tries to connect with other machines on the local subnet.
The worm affects only Windows 2000, XP, and Server 2003 – for these operating systems the MS08-67 flaw was deemed critical. Windows Vista and Server 2008, for whom the flaw is only “important”, are currently safe from the worm menace, but who is to say if that will remain so. The best course of action is to patch your Windows OS and update your antivirus software.