MS08-067: Server Service Vulnerabilities Redux and Wormability

Posted on Friday, October 24th, 2008 | Bookmark on del.icio.us

by Jose Nazario

Yesterday was all abuzz about a new vulnerability patch from Microsoft, released out of their normal schedule of Patch Tuesday. MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) was released at 1pm US Eastern to address very major issues. Everyone should review the patch, do some testing, and update ASAP. We’re hearing some reports of WiFi driver issues post patching, so do your prep work on this one. We know the issue affects all of the major, common versions of Windows:

Windows XP
Windows 2003
Windows Vista
Windows 2008 Server

The patch was made out of the normal cycle because malcode was on the loose using the vulnerability to spread. Specifically, this vulnerability is a buffer overflow in an unauthenticated Windows SMB file sharing session on TCP ports 139 or 445 in the Windows API call NetPathCanonicalize(). A malicious client can bind to the service and issue a request with an overly long argument, overflowing a buffer and possibly executing arbitrary code on the vulnerable server. This is how the malcode is getting onto systems.

The vulnerability is on TCP ports that see a lot of scanning, but we can baseline the activity to look for spikes. Here’s 30 days of activity for TCP ports 139 and 445 from ATLAS; we’re not seeing a huge scanning spike:

TCP port 139 scanning activity

TCP port 445 scans

While highly wormable — on by default, exploit code is now out, etc — it’s not a Sasser-like situation. Thankfully. This is likely to be mitigated by things like the default firewall in XP SP2 and the like. But we are seeing some malcode on that service.

The Gimmiv family of malware is propagating by exploiting MS08-067. We first received samples related to this family of malware on 2008-10-08 using reports from a trusted partner, so this was fully two weeks before the patch release. Samples we have analyzed are NOT packed with any Windows PE packer, which is more uncommon these days. Once the malcode is on the system, it drops the following files:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log
C:\WINDOWS\system32\wbem\basesvc.dll
C:\WINDOWS\system32\wbem\syicon.dll
C:\WINDOWS\system32\wbem\winbase.dll

It then contacts three HTTP servers with GET requests:

doradora.atzend.com
perlbody.t35.com
summertime.1gokurimu.com

The malcode then creates several new files:

C:\Documents and Settings\User\Local Settings\Temp\FPMOOWRB.bat
C:\WINDOWS\system32\wbem\sysmgr.dll
C:\WINDOWS\system32\basesvc.dll
C:\WINDOWS\system32\inetproc02x.cab
C:\WINDOWS\system32\install.bat
C:\WINDOWS\system32\scm.bat
C:\WINDOWS\system32\syicon.dll
C:\WINDOWS\system32\winbase.dll
C:\WINDOWS\system32\winbaseInst.exe

The Windows Batch File above is run using cmd.exe. It also sends an ICMP Echo Request packet to multiple IP addresses, using a unique payload: “abcde12345fghij6789″. This is done via the Win32 API call IcmpSendEcho().

Finally, it shuts down the System Manager service using a shell command (calling out to cmd.exe).

The malware’s main purpose is to steal information from the infected user’s host.

Static analysis of the malcode binaries reveals additional interesting data. First, the malcode contains multiple IP addrseses hardcoded into it: 212.227.93.146, 64.233.189.147, and 202.108.22.44. The malode references some VBS files, msrclr40.vbs and nkzclear.vbs, and contains some VBS strings:

WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"
oFS.CreateFolder "%s"
%s\%s
WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"
%s\%s
WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.CreateFolder "%s"
oFS.CopyFile "%s", "%s\"
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"

It also contains a CLSID for the credentials DLL, consistent with a credential theft tool. This has been used to grab decrypted passwords from MSN Messenger, for example. This format string batch is also present, suggesting a possible log structure:

===============Outlook Express===============
===============Credential Info================
============Protected Storage Info=============
ID:
Pass:
URL:

In short, not a hugely wormy piece of software, but instead a typical infostealer Trojan.

What’s very interesting about this malcode, even from a quick review of it, is that the malcode doesn’t make use of a lot of Windows APIs consistently, suggesting this was quickly mashed together. Why use “/c reg delete “HKLM\SYSTEM\CurrentControlSet\Services\%s” /f” when you can use the Windows Registry API directly? This doesn’t jive with the notion that the idea that the author(s) were able to develop a new, 0day functional exploit, even from fuzzing. This leads me to suspect they stole it from someplace else and bolted it – crudely – into this malcode. If that’s true, then there’s someone using this as a 0day prior to this patch release and all of this attention. Anyone have attack logs that would suggest 0day activity outside of this malcode?

Additional thoughts on this from around the net:

Yellow to Green : MS08-067 from the SANS ISC. We may be raising our ATLAS Threat Index as well.
NAPI Worm from my friends over at DISOG. Nice analysis.
More detail about MS08-067, the out-of-band netapi32.dll security update from the MSFT SWI blog. Great material there.
MS08-067 and the SDL from Microsoft, again
Gimmiv DLL from my friend Toni, who keeps an excellent malware blog.
ThreatExpert sandbox report for Gimmiv.A, at least one of the variants.
F-Secure blog: Out-of-band patch from Microsoft.
Win32/Gimmiv.A from CA’s AV writeup.
Win32.Worm.Gimmiv.A AV writeup from BitDefender.
Just some comments on MS08-067 from the Sunbelt Blog.
Gimmiv.A exploits critical vulnerability (MS08-067) from the ThreatExpert blog.

We’ll be keeping an eye on this one in the coming days.

Popularity: 1% [?]

This entry was posted on Friday, October 24th, 2008 at 2:23 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Exploit Code, Malware, Reverse Engineering, Secure Coding, Trojan Horses, Vulnerabilities, Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses | Add your own

Comment Post by: MS08-067 in Attackers Platform? « Threat Researcher — October 29th, 2008 @ 4:48 am EST Reply

[...] Ms08-067-server-service-vulnerabilities-redux-and-wormability SecuriTeam: Vulnerability in Server Service Allows Code Execution (MS08-067) CA : MS08-067 Wormable [...]

Comment Post by: Hank Su — November 4th, 2008 @ 10:14 am EST Reply

is any impact to DNS server if this hotfix patch applied?

Comment Post by: Jose Nazario — November 4th, 2008 @ 10:18 am EST Reply

i am not aware of any DNS server impacts if this is applied, no.

Comment Post by: GIMMIV — November 11th, 2008 @ 1:01 pm EST Reply

[...] cei care vor detalii mai amănunţite despre acest virus, le pot găsi la una din adresele: – http://asert.arbornetworks.com/2008/10/ms08-067-server-service-vulnerabilities-redux-and-wormability... – http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74579 – [...]

DDoS and Security Reports

Real-Time Internet Traffic Analysis

Tag Cloud

MS08-067: Server Service Vulnerabilities Redux and Wormability

4 Responses | Add your own

Leave a Comment