MS08-067 exploit in wild
Today SonicWALL UTM Research team received samples using the newly patched MS08-067 - Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).
The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:
It starts a service as "sysmgr (System Maintenance Service)" and deletes the original copy of the malware from the folder where it was executed.
It tries to communicate with following domains over HTTP:
The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B
Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.
It also performs following registry modifications:
- Creates key "HKLMSystemCurrentControlSetServicessysmgrParameters".
- Sets value "ServiceDll"="C:WINDOWSSYSTEM32wbemsysmgr.dll" in key "HKLMSystemCurrentControlSetServicessysmgrParameters".
- Sets value "ServiceMain"="ServiceMainFunc" in key "HKLMSystemCurrentControlSetServicessysmgrParameters".
- Creates key "HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost".
- Sets value "sysmgr"="sysmgr" in key "HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost".
- Sets value "I"="" in key "HKLMSystemCurrentControlSetServicessysmgr".
- Sets value "DisplayName"="System Maintenance Service" in key "HKLMSystemCurrentControlSetServicessysmgr".
This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].
SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.
SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.