Worm Exploiting Microsoft Windows Server Spotted

The vulnerability, which could allow a remote attacker to take over Windows computers without any user interaction, taps into the recent Microsoft Security Bulletin MS08-067.

Thomas Claburn, Editor at Large, Enterprise Mobility

November 3, 2008

1 Min Read
Dark Reading logo in a gray background | Dark Reading

A worm designed to exploit the recently patched vulnerability covered in Microsoft Security Bulletin MS08-067 has been detected, US-CERT, the government's cybersecurity organization, warned Monday.

Just over a week ago, Microsoft issued MS08-067 as an out-of-band patch to fix a critical flaw that could allow a remote attacker to take over Windows computers without any user interaction. The flaw has to do with the way the Microsoft Windows server service handles Remote Procedure Call requests.

Christopher Budd, a Microsoft Security Response Center program manager, said in a blog post that "the vulnerability is potentially wormable" on older versions of Windows. And other security researchers echoed his concern.

It now appears such concerns were well-founded. Proof-of-concept binaries designed to exploit MS08-067 appeared last week.

And on Monday, F-Secure said it had received reports of a worm designed to exploit MS08-067 in the wild.

"We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability," the company said on its blog. "The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration."

F-Secure also identified the worm component as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.

Other vendors may use different names to identify the malware.

In its Security Intelligence Report for the first half of 2008, Microsoft on Monday said, "The most common system locale for victims of browser-based exploits was Chinese, accounting for 47% of all incidents, followed by U.S. English with 23% of incidents." It also said that Trojan downloaders and droppers accounted for more than 30% of all malware removed from computers by Microsoft security products worldwide.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights