MS08-067 exploit in wild

October 24, 2008

Today SonicWALL UTM Research team received samples using the newly patched MS08-067 - Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as "sysmgr (System Maintenance Service)" and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

  • summertime.1gokurimu.com
  • doradora.atzend.com
  • perlbody.t35.com
  • 59.106.145.58

The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

  • Creates key "HKLMSystemCurrentControlSetServicessysmgrParameters".
  • Sets value "ServiceDll"="C:WINDOWSSYSTEM32wbemsysmgr.dll" in key "HKLMSystemCurrentControlSetServicessysmgrParameters".
  • Sets value "ServiceMain"="ServiceMainFunc" in key "HKLMSystemCurrentControlSetServicessysmgrParameters".
  • Creates key "HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost".
  • Sets value "sysmgr"="sysmgr" in key "HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost".
  • Sets value "I"="" in key "HKLMSystemCurrentControlSetServicessysmgr".
  • Sets value "DisplayName"="System Maintenance Service" in key "HKLMSystemCurrentControlSetServicessysmgr".

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.