So, let me get this straight, MS was informed about this vulnerability by a security researcher (Meron Sellen) last August, and it’s sat in the Microsoft Security Response Center’s queue to be fixed until Google got hacked, and then they checked their queue to see if they knew about it?

Even though this was acknowledged in September, and MS planned to ship the patch in a cumulative IE update next month, so that’s 6 months, really? Wow, I thought that Adobe had it tough with not having enough developers to patch
This really makes me question the worlds largest OS developer, I have to say. The following questions come to mind though.

- If this was passed to them last September, do they have that many bugs in their code that they haven’t gotten around to this one yet?

- What happened to MS’s secure development program if something like this can get missed?

-  As it’s the fault of a software development house that another 33 companies were hacked, will any legal action be taken against then for this?

- Will/Could Google sue MS for damages if they do decide to pull out of China because of this hack?

Just random thoughts, but hey…

What with twenty years experience in reviewing AV software, I figured I’d better try it out.

It’s not altogether terrible.  The fact that it’s free, and from Microsoft (and therefore promoted), might reduce the total level of infections, and that would be a good thing.

But even for free software, and from Microsoft, it’s pretty weird.

When I installed it, I did a “quick” scan.

That ran for over an hour on a machine with a drive that’s got about 70 Gb of material on it, mostly not programs.  At that point I hadn’t found out that you can exclude directories (more on that later), so it found my zoo.  It deleted nine copies of Sircam.

Lemme tell ya ’bout my zoo.  It’s got over 1500 files in it.  There are a lot of duplicate files (hence the nine copies of Sircam), and there are files in there that are not malware.  There are files which have had the executable file extensions changed.  But there are a great number of common, executable, dangerous pieces of malware in there, and the only thing MSE found was nine copies of Sircam.

(Which it deleted.  Without asking.  Personally, for me, that’s annoying.  It means I have to repopulate my zoo from backups.  But for most users, that’s probably a good thing.)

Now, when I went to repopulate my zoo, I, of course, opened the zoo directory with Windows Explorer.  And all kinds of bells and whistles went off.  As soon as I “looked” at the directory, the real-time component of MSE found more than the quick scan did.  That probably means the real-time scanner is fairly decent.  (In my situation it’s annoying, so I turned it off.  MSE is now annoyed at me, and continues to be annoyed, with big red flags on my task bar.)
MSE has four alert levels to categorize what it finds, and you have some options for setting the default actions.  The alert levels are severe (options: “Recommended action,” “Remove,” and “Quarantine”), high (options: “Recommended action,” “Remove,” and “Quarantine”), medium (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”), and low (options: “Recommended action,” “Remove,” “Quarantine,” and “Allow”).  Initially, everything is set at “Recommended action.”  I turned everything down to the lowest possible settings: I want information, not strip mining.  However, for most people it would seem to be reasonable to keep it at the default action, which seems to be removal for everything.
I don’t know where it puts the quarantined stuff.  It does have a directory at C:\Documents and Settings\All Users\Application Data\Microsoft Security Essentials, but no quarantined material appears to be there.

(I did try to find out more.  It does have help functions.  If you click on the “Help” button, it sends you to this site.  However, if you click on the link to explain the actions and alert levels, it sends you to this site.  If you examine those two URLs, they are different.  If you click on them, you go to the same place.  At that location, you can get some pages that offer you marketing bumpf, or watch a few videos.  There isn’t much help.)
You can exclude specific files and locations.  Personally, I find that extremely useful, and the only reason that I’d continue using MSE.  It does seem to work: I excluded my zoo before I did a full scan, and none of my zoo disappeared when I did the full scan.  However, for most users, the simple existence of that option could signal a loophole.  If I was a blackhat, first thing I’d do is find out how to exclude myself from the scanner.  (There is also an option to exclude certain file types.)

So I did a full scan.  That took over eight hours.  I don’t know exactly how long it took, I finally had to give up and leave it running.  MSE doesn’t report how long it took to do a scan, it only reports what it found.  (I suspect the total run was around ten or eleven hours.  MSE reports that a full scan can take up to an hour.)

While MSE is running it really bogs down the machine.  According to task manager it doesn’t take up much in the way of machine cycles, but the computer sure isn’t responsive while it’s on.
When I came back and found it had finished, the first thing it wanted me to do was send a bunch of suspect files to Microsoft.  The files were all from my email.  On the plus side, the files were all messages that reported suspect malware or Websites, so it’s possible that we could say MSE is doing a good job in scanning files and examining archives.  (On the other hand, every single message was from Sunbelt Software.  This could be coincidence, but it is also a fact that Sunbelt makes competing AV software, and was formerly associated with a company that Microsoft bought in its race to produce AV and anti-spyware components.)

Then I started to go through what Microsoft said it found, in order to determine what I had lost.

The first item on the list was rated severe.  Apparently I had failed to notice six copies of the EICAR test file on my machine.

Excuse me?  The EICAR test file?  A severe threat?  Microsoft, you have got to be kidding.  And the joke is not funny.

The EICAR test file is a test file.  If anyone doesn’t know what it is, read about it at EICAR, or at Wikipedia if you don’t trust EICAR.  It’s harmless.  Yes, a compatible scanner will report it, but only to show that your scanner is, in fact, working.

It shouldn’t delete or quarantine all copies it finds on the machine.

MSE also said it quarantined fifteen messages from my email for having JavaScript shell code.  Unfortunately, it didn’t say what they were, and I wasn’t sure I could get them back.  I don’t know why they were deleted, or what the trigger was.  MSE isn’t too big on reporting details.  I don’t know whether these messages were simply ones that contained some piece of generic JavaScript, and got boosted up to “severe” level.  Given the EICAR test file experience, I’m not inclined to give Microsoft the benefit of the doubt.

After some considerable work, I did find them.  They seemed to be the “suspect” messages that Microsoft wanted.  And when I tried to recover them, I found that MSE had not quarantined them: they were left in place.  So, at the very least, at times MSE lies to you.

(I guess I’d better add my email directory to places for MSE not to scan.)
MSE quarantined some old DOS utilities.  It quarantined a bunch of old virus simulators (the ones that show you screen displays, not actual infectors).  (Called them weird names, too.)

MSE quarantined Gibson Research’s DCOMbob.exe.  This is a tool for making sure that DCOM is disabled on your machine.  Since DCOM was the vector for the Blaster worm (among others), and is really hard to turn off under XP, I find this rather dangerous.

OK, final word is that I can use it.  I’ll want to protect certain areas before I do, but that shouldn’t be too much of a concern for most users.

You might want to make sure Microsoft isn’t reading your email …

0day exploits for Internet Explorer, Firefox, and Safari were used to own machines at the Pwn2Own contest @ CanSecWest 2009. Is now the time for someone to port Windows 3.1 to MIPS and install a good telnet client? Roffles.

Credit www.dailygalaxy.com for the fierce FF/IE photo

And you thought this day would never come… read more here.

No, this is not a joke

Adobe Acrobat, at least the reader, has been owned. Again. So Surprising.

The good news is that Xpdf probably isn’t vulnerable

There is an interesting article about NetBSD becoming the new os on the tmobile sidekick. While NetBSD can run on just about any kind of relevant hardware, running NetBSD on the sidekick and painting a nice GUI (with the help of Danger probably) should be lots of fun. As an end result, could this not rank as the most secure mobile device if nothing else?

The flaw discovered by Dan Kaminsky put a forthright scare into the entire internet community — and it should have. This attack, which is trivial in nature, could make the difference between sending all your private data to the secure server across the ocean, or to a happy hacker filling his/her eye balls with goodies.

But now, since everyone was woken up, there are two mainstream, proposed solutions in hopes of ending the insecurity in DNS: DNSSEC and DNSCurve. Which one should you bet your network’s integrity on? Better hope your patched or you might get bailiwicked. Let the enlightenment begin.

DNSSEC, or Domain Name System Security Extensions, is a suite of IETF specifications for securing certain kinds of information in DNS. Recently, lots of companies have been gearing up to implement DNSSEC, as a means of securing DNS on the Internet. One man, that opposes DNSSEC, has written his own code to provide a nicer, more secure solution, and far better than DNSSEC. He calls it DNSCurve.

DNSCurve uses high-speed, high-security elliptic cryptography to improve and secure DNS. Daniel J. Bernstein, the creator of DNSCurve and many other high security servers such as qmail and djbdns servers, doesn’t want DNSSEC implemented, but DNSCurve instead. And it is no question which one is the better choice after looking at the comparisons Bernstein makes between the two now rivals.

Some huge advantages with DNSCurve vs DNSSEC are encrypting DNS requests and responses, not publishing lists of DNS records, much stronger cryptography for detecting forgeries, (some) protection against denial of service attacks, and other improvements.

There is one quick, unrelated issue that I disagree with Mr. Bernstein about. After offering $500 “to the first person to publish a verifiable security hole in the latest version of qmail”, he states: “My offer still stands. Nobody has found any security holes in qmail”. But in 2005, Georgi Guninski found one and has confirmed exploitability on 64 bit platforms with a lot of memory.

Bernstein denied his claim and then stated “In May 2005, Georgi Guninski claimed that some potential 64-bit portability problems allowed a “remote exploit in qmail-smtpd.'’ This claim is denied. Nobody gives gigabytes of memory to each qmail-smtpd process, so there is no problem with qmail’s assumption that allocated array lengths fit comfortably into 32 bits.”. Now, to me, and I am sure to many other people as well, an exploitable bug in an exploitable bug. Conditions have to sometimes be met and “can be carried too far”, one might put it, but in this case, it is clear that Guninski found at least one exploitable bug in qmail. Game over. No disrespect to Mr. Bernstein or his code; he does have both great code and concepts. On with my main literature.

So, if I were a betting man (and I am), I would gamble on Bernstein’s all around great approach to making DNS safer, more resilient against attacks, and definatly more secure. Hopefully, people will realize money can’t solve all our problems, but the guys that know what they are doing, can, and might just make some things happen pretty soon.

I thought I’d try something different (excuse me if its been done before, oh well). Every week I will be making a list of the top 5 exploits of the week, details about them, etc.

So lets get the ball rolling:

#1 Internet Explorer 7 XML Buffer Overflow Exploit (Vista Target) — This remote beauty executes remote code on a vulnerable (probably still unpatched) Internet Explorer 7 machine running Windows Vista. Coded by muts.

#2 Internet Explorer 7 XML Buffer Overflow Exploit (XP SP3 Target) — Exploits the same bug as above but executes code on a Windows XP SP3 target. Coded by Guido Landi.

#3 XOOPS 2.3.1 Multiple LFI Exploits — XOOPS suffers from a few local file inclusion bugs, and DSecRG has some code for you.

#4 Linux Kernel ATMSVC DoS Exploit — Send a kernel into an infinite loop by locally running this exploit on a vulnerable machine. Code by Jon Oberheide.

#5 phpMyAdmin 3.1.0 XSRF Exploit — Cross site scripting attacks are more dangerous than most developers think. Here is exploit code, just don’t have phpMyAdmin open in another tab! Provided by Michael Brooks.

See you all next week with more. Bug on

Yeah, brute force attacks on SSH is old news. But now, there is something new and interesting about them! Attackers (How did they get so smart!?) are now using ‘advanced’ techniques to make these attacks even more effective:

“Instead of using the same compromised machine to try multiple password combination, the newer attack relies on coordination among multiple botnet clients. Also, instead of throwing this resource at random Secure Shell (SSH) remote admin servers, the assault is targeted at specific servers.”

OH NO! We all must go and protect our servers now!

Or do any or all of these good practices that decent administrators have known about for years…

1) USE STRONG PASSWORDS! (You can bet attackers will have ‘johndoe’ in their wordlist, but not ‘00J0hNND0eEe00$’)
2) Firewall all logins via SSH except for authorized IP addresses
3) Run SSH Server on another port besides 22

Some helpful tips for the helpless. Ho, ho, ho unwise system admins.

Microsoft’s world has been shaken up recently by a new remote command execution exploit for its premier web browser, Internet Explorer.

Quoting a timeline from eEye’s research on this vulnerability makes it this story more interesting:

“11/15/2008 In-The-Wild Exploitation Witnessed By 3rd Party
12/9/2008 Reliable Exploit Code Identified by eEye Research”

The problem is in the code processing XML in Internet Explorer. An attacker can exploit a buffer overflow to execute their own code on the client just by visiting a malicious web page.There are already full exploits for Windows XP and Windows Vista. Apprently, this has been exploited in the wild for some time now. Its too bad that the original bug discoverer didn’t sell his/her code, they probably would have gotten a small fortune (I am talking about totally legitimate agencies, of course).

Also, according to Muts’ Blog, this vulnerability still isn’t patched (Vista updated with latest patches — stated on the blog). Oh Microsoft, we know your good with your Patch Tuesdays and all that stuff, but couldn’t you break down and hand out some emergency patches soon? I mean, should ~50% of the world get owned just in time for Christmas!?

But rapid reader, I bring good news too! Firefox users shouldn’t have a thing to worry about =)

AVG Technologies (formerly Grisoft) has been through a lot the last 17 years. Its almost considered an adult! From specializing in security software to… well actually they still do the same thing, they just focus greatly on antivirus and antimalware technology today.

In April 2006, AVG acquired Ewido Networks and bumped up their own antivirus’s version from version 7.1 to 7.5. Soon thereafter, Microsoft (!@#$) stated that AVG’s products would even be DIRECTLY available from the Windows Security Center in Vista.

Not cutting many corners, lets shift our focus now on AVG’s acquisition of Exploit Prevention Labs in late in 2007. AVG liked their ‘LinkScanner’ code and later released it in the next huge ‘revision’ of the AVG antivius suite, AVG 8. Now before I bash AVG 8, I will tell you that I used to be a big AVG fan. I always recommended it to everyone, whenever I had the chance. It WAS great — AVG offered advanced protection and ran so smooth and so clean. But at the moment, its bloated, clunky, very slow, a huge resource hog, and I am glad that I don’t have to use it. LinkScanner seems to have great intentions but has, so far, gotten off to a rocky start (or finish). A friend of mine warned me about it when it first was released, and I tried to give it the benefit of the doubt, keeping it on the ‘good’ list. I just simply don’t like the fact that it has been near ruined recently, thanks to AVG’s poor decisions.

Just like in poker, “Its about making the best decisions”, and how true that is when you think about it for the software industry too. Everyone makes mistakes, but AVG: PLEASE BE GOOD AGAIN!

For years now, Zone-H.org has been, primarily, a website that mirrors website defacements. And also over the years, nearly every company, government, or otherwise popular/high-profile server has experienced being hacked. In case your not familiar with how it works, I will tell you about the process.

Basically, an attacker defaces the target website in some way and they submit it to Zone-H. Zone-H verifies the defacement and publishes a mirror. They accept any web accessible site, high-profile or not. Blogs, personal websites, mom and pop websites, even free websites haven’t been spared from attackers. But what has made this act so popular, and really into a popularity contest, is Zone-H’s rigorous mirror system, recording stats and names they use to deface, feeding the crave for attention or otherwise.

If you look where they classify and detail ‘special defacements‘, you can see a lot of the attackers’ bread and butter. LG’s Pakistan website, US/Chinese/Malaysian government websites, even on occasion NASA or military websites are hacked and defaced. Some attackers leave politically motivated messages, other just for fun, such as this one by ‘netb00m’:

“LGE pakistan was way to easy to get into.
Its almost like you guys beg to get hack.
Anyway, cant you guys make phones more like palm?
I mean you guy do make good stuff, but palm is alot nicer. =)”

As long as Zone-H mirrors these defacements, the attacks will never end. There is simply too much motivation, too many chances to look ‘cool’. However true that is, sometimes these guys get in trouble. I wish the best for them, but they could help themselves by growing up a little. It may have been ‘cool’ back in the day to the deface websites, but now, its just another risk to take to prove yourself to people who seem to carry themselves on their sleeves.

I wonder why it took so long.

He even has 2 nice recommendations. Quite an effort was put on his profile:

And it’s only the contact information that tells the sad story. Note how many variations of ‘bill gates’ were taken in gmail that the pranksters had to use this one:

The RPC Worm Victim List has a list [.txt] of hundreds machines and they are mainly Windows XP machines (MSIE 6.0 or MSIE7.0; Windows NT 5.1 in browser’s user agent).

I made a script to generate WHOIS queries and the results say that the victim machines are located mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam. There are only some machines in France, UK, and USA.

It’s very interesting that there is an IP from Microsoft too - a Wget machine with IP address 64.147.0.80. The Wget version is 1.10.2.

Whois Record

OrgName: Microsoft Corp
OrgID: MSFT
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 131.107.0.0 - 131.107.255.255
CIDR: 131.107.0.0/16
NetName: MICROSOFT

There are several Wget UA’s included, one with the version number Wget/1.8.2 too.

I recommend that Redmon guys patch that machine ASAP

So Dave Aitel said there are no more RPC vulnerabilities because his fuzzer couldn’t find any new ones. Well, I thought it was just a matter of trying more combinations and I was right.

The point, though, is not who has a longer fuzzer, but that when it comes to security always bet against the person who says something is impossible.

In fact, I made that mistake myself back in the 1990s, claiming Windows can’t be reliably exploited (I can’t find the link to the old ntbugtraq archives - thank god for that). Little did I know how easy writing Windows exploits would become. Now if I can only get a message to my younger self to avoid this embarrassment. And if I do get to talk to my young self I’ll be sure to tell me to skip the 2nd and 3rd matrix movies.

Summary:
This is Frequently Asked Questions document about new, recently patched RPC vulnerability in Microsoft Windows. The document describes related Trojan and worm malware as well.
It is worth of noticing that code execution type vulnerabilities in Office programs are widely used to industrial espionage since 2006. This time the exploitation represents the use of non-Office vulnerabilities and e-mail attack vector is not used.

Update: After the weekend the malware analyses shows that the Trojan has designed to steal credential information and to collect a botnet-like network.

Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.

Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.

Q: What is the mechanism in exploitation?
A: Information was not disclosed, but during the exploitation malicious executables are being downloaded and executed from the remote Web site.

Q: Is the exploit code of this vulnerability publicly released?
A: Yes. On Friday 24th October the proof of concept code was released on a blog of security researcher and on public, moderated security mailing list. The PoC has been released at several well-known exploit and security community Web sites too. Metasploit module has been released too (link). PoC’s work against Windows XP SP2, Windows XP SP3 and Windows 2003 Server SP2 machines.

Q: Which Windows versions are affected?
A: Microsoft Windows 2000, Windows XP, Windows Vista, Windows 2003 Server and Windows Server 2008 systems are affected.

Q: I am using the 7 Pre-Beta version of Windows, is my operating system affected?
A: According to the Microsoft it is affected too. An update is available (see MS08-067).

Q: I am a home user, is it possible to update my system in a normal way via Microsoft Update?
A: Yes, visiting the Microsoft Update Web site at http://update.microsoft.com/ will update the system against the exploitation of the vulnerability. If the Automatic Updates is enabled the system will be updated automatically without user’s actions.

Q: Where are the official Microsoft documents related to this case located?
A: The official Security Bulletin MS08-067, entitled Vulnerability in Server Service Could Allow Remote Code Execution (958644) has been released at Microsoft TechNet Security section:
www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Updated information released by the vendor has been covered at MSRC Blog (The Microsoft Security Response Center Blog). The address of the blog is blogs.technet.com/msrc/.
File information of the MS08-067 security update has been released at separate Knowledge Base document #958644: support.microsoft.com/kb/958644.
Microsoft Security Advisory #958963 released to notify the availability of the security update is located at
www.microsoft.com/technet/security/advisory/958963.mspx

Q: What the term ‘out-of-band’ means?
A: Normally Microsoft releases security updates once a month, at the second Tuesday of the every month. Very rarely, during the Windows ANI vulnerability etc. the security update will come out outside of this regular update cycle. Out-of-band and out-of-cycle describe the situation when waiting the regular update Tuesday, so-called Patch Tuesday is not enough to protect Windows systems against exploitation.
The next security updates will be released on Tuesday 11th November.

Update:
Q: Is this a new Slammer worm?
A: No, due to new security features included to SP2 etc. However, on 3rd Nov it was reported about the worm exploiting this vulnerability.

Q: Are there any workarounds available? Our organization is making tests with the patch still.
A: The security bulletin lists the following workarounds:
-Disable the Server and Computer Browser services
-Block TCP ports 139 and 445 at the firewall

Q: Is there Snort rules for this vulnerability available?
A: Yes. Additional details can be obtained at
www.snort.org/vrt/advisories/vrt-rules-2008-10-23.html
known as a ruleset against Microsoft DCE/RPC remote code execution attempts.
The download address is www.snort.org/pub-bin/downloads.cgi
(to paying Sourcefire customers)
Emerging Threats project has released new signatures too, details at
http://www.emergingthreats.net/index.php/component/content/article/17-sigs/125-weekly-new-signatures-october-25-2008.html

Q: What is the situation of Nessus plugins related to this vulnerability?
A: Nessus Plugin ID #34476 has been released. More information is available at
www.nessus.org/plugins/index.php?view=single&id=34476

Q: What are the target organizations etc. of this vulnerability?
A: This information is not available and probably it will never go public. Microsoft has confirmed that fever than 100 organizations are targeted in targeted attacks.

Q: Is there information about file sizes used during the attacks?
A: Yes. The size is 397,312 bytes.
Update: The size can be anything between 49,152 and 417,792 bytes.

Q: How the user can notify the infection?
A: It is reported that the command prompt will appear.

Q: What are the names of malwares exploiting this vulnerability?
A: There are reports about a data collecting Trojan (Gimmiv.A) and a Trojan searching for non-patched machines on LAN (Arpoc.A).

The following names are being used (listed in alphabetical order):
AhnLab - Dropper/Gimmiv.397312 since 2008.10.24.04
Authentium - W32/Gimmiv.A since 23rd Oct
Avira - TR/Dldr.Agent.gcx since 24th Oct, iVDF 7.00.07.81
Bitdefender - Win32.Worm.Gimmiv.A since since 23rd Oct
- dropper detected as Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.A since eTrust 31.6.6167
ClamAV - Trojan.Gimmiv since 8524
- Trojan.Gimmiv-1…Trojan.Gimmiv-7 since 8526
Dr.Web - DLOADER.PWS.Trojan since 23rd Oct
Eset - Win32/Gimmiv.A since 24th Oct, v.3551
- Win32/Spy.Gimmiv, Win32/Spy.Gimmiv.A since v.3553
- Win32/Spy.Gimmiv.B since v.3555
Fortinet - W32/Gimmiv.A!tr.spy
- name change: W32/Gimmiv.A!worm since 9.676
F-Secure - Trojan-Spy:W32/Gimmiv.A since 2008-10-24_01
- Trojan-Spy:W32/Gimmiv.B since 2008-10-24_05
- Trojan-Spy:W32/Gimmiv.C, D, E, F variants since 2008-10-24_08
- Net-Worm.Win32.Gimmiv.a since 25th Oct 2008-10-25_01
McAfee - PWS.y!C91DA1B9 since DAT5413
- Spy-Agent.da since 23rd Oct, DAT5414, its DLL component detected as Spy-Agent.da.dll
Microsoft - TrojanSpy:Win32/Gimmiv.A[.dll] since 23rd Oct
- since 24th Oct update 1.4005 included signatures
- exploit: Exploit:Win32/MS08067.gen!A
Kaspersky - Trojan-Downloader.Win32.Agent.alce since 24th Oct, 7.0.0.125
Panda Security – detected as ‘Suspicious file’ since 23rd Oct, 9.0.0.4
- Gimmiv.A since 24th Oct
PCTools - Trojan-Spy.Gimmiv.A
Prevx - detected as ‘Cloaked Malware‘
Rising - Trojan.Spy.Win32.Undef.z since 23rd Oct, 21.00.32.00
Sophos - Sus/Dropper-A since 21st Aug (based to heuristic techniques)
- additionally Troj/Gimmiv-A, IDEs since 4.34.0,
- Troj/Gimmiv-Gen since 4th Nov
Symantec - Infostealer since 23rd Oct
- name change: Trojan.Gimmiv.A since 24th Oct, rev. 024
- malicious files detected as Bloodhound.Exploit.212
Trend Micro - WORM_GIMMIV.A since 5.617.00
- TSPY_GIMMIV.A since 5.617.00

where ’2008.10.24.04’ states that these virus signatures or newer include a protection for the malware.

Alias names CVE-2008-4250, W32.Slugin.A and W32/NetAPI32.RPC!exploit.M20084250 are in use too.

Update: Added Arpoc section:
BitDefender - Win32.Worm.Gimmiv.B
CA - Win32/Gimmiv.B since 31.6.6172
Dr.Web - Win32.HLLW.Jimmy.3 since unknown signatures
McAfee - Spy-Agent.da since DAT5414, its DLL component detected as Spy-Agent.da.dll

Update: Added RPC worm section:
AntiVir - TR/Expl.MS08-067.G
BitDefender - Trojan.Downloader.Shelcod.A
ClamAV - Exploit.MS08-067 since 8566
Eset - Win32/Exploit.MS08-067.B, C and D since 3576
F-Secure - worm component as Exploit.Win32.MS08-067.g
- kernel component as Rootkit.Win32.KernelBot.dg
Ikarus - Virus.Exploit.Win32.MS08.067.g
Kaspersky - Exploit.Win32.MS08-067.g since 31th Oct
McAfee - kernel component as KerBot!37E73FFB since DAT5422
Microsoft - Exploit:Win32/MS08067.gen!A
- Trojan:Win32/Wecorl.A
- Trojan:Win32/Wecorl.B
Norman - kernel component as w32/agent.jbvo
Prevx - Worm.KernelBot
Sophos - Mal/Generic-A
- Exp/MS08067-A since 4th Nov
Symantec - W32.Wecorl since 3rd Nov (latest daily certified version) rev. 052
- W32.Kernelbot.A since 3rd Nov (latest daily certified version) rev. 041
Trend Micro - WORM_KERBOT.A since 5.637.00
- WORM_WECORL.A since 5.640.05

Q: What kind of payload this Trojan horse has?
A: This is what the Trojan gathers (according to Microsoft’s document):
*User Name
*Computer Name
*Network Adapters / IP Addresses
*Installed com objects
*Installed programs and installed patches
*Recently opened documents
*Outlook Express and MSN Messenger credentials
*Protected Storage credentials

Q: What kind of Trojan has attacked to the targeted organizations?
A: It is a very sophisticated and dangerous Trojan. It encrypts the data with AES and deletes itself after its operations. Before sending the gathered data to the attacker it reports the AV software of the installation (from HKEY_LOCAL_MACHINE\SOFTWARE\) as a parameter (BitDefender, Jiangmin, Kingsoft, Kaspersky, Microsoft OneCare, Rising and Trend Micro).

Q: Are there any changes to Windows registry or the file system made by this malware?
A: The following registry key is being modified:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
The display name of the service being generated is System Maintenance Service.
The malicious files are being copied to System32\wbem folder including basesvc.dll, syicon.dll, winbase.dll and winbaseInst.exe. NOTE: After being executed the Trojan deletes these files and itself.
Update: According to Arbor Networks the file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log is being dropped too.

Q: Now I know that my anti-virus software can report computers in my organizations as clean because the Trojan has deleted itself from the system. What are the malicious executables that I can search them and examine logs etc.?
A: There are several names and all of the files has same size mentioned earlier, i.e. 397,312 bytes.
Update: According to McAfee the size varies from 49,152 to 417,792 bytes.

The most common file name is N2.exe. However, file names Nx.exe are widely spreading as well; [x] represents a number from 1 through 9.
The MD5 hash of the one specific N2.exe file in the wild on 23rd Oct is f173007fbd8e2190af3be7837acd70a4.
Update: To list one more the MD5 hash of n5.exe is 24cd978da62cff8370b83c26e134ff4c.

Prevx database knows the following file names too:
15197927.EXE, 00003106.EXE, NVIR/N2.EXE, 18912604.EXE, 54800477.DAT
The format of the file can be NVIR/N3.EXE etc. too.

Q: What type of network connections these malware make?
A: Gimmiv.A sends an ICMP Echo Request packet to multiple IP addresses including the string ”abcde12345fghij6789”.

Q: How can I recognize malicious files spreading RPC worm (Exploit.Win32.MS08-067.g)?
A: The files names reported in the wild are 6767.exe and KernekDbg.exe.

Q: What is the size of these files?
A: The size are various, but many of them are 16,384 bytes long.

Q: What kind of network connections the worm makes and are there any modifications made to Windows registry?
A: It connects to robot.10wrj.com, ls.cc86.info, ls.lenovowireless.net and ls.playswomen.com. Yes, the worm will add the new value to HKLM\SOFTWARE\Licenses and HKLM\SOFTWARE\Google.

Q: Are there any changes to Windows HOSTS file?
A: Yes, the lines
127.0.0.1 dnl-cn1.kaspersky-labs.com
127.0.0.1 alert.rising.com.cn
127.0.0.1 www.mcafee.com
will be added yo the HOSTS file.

Q: Is there CVE name available to this issue?
A: Yes. The Common Vulnerabilities and Exposures project (cve.mitre.org) has released the following CVE candidate CVE-2008-4250:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250

Q: What is the CVSS severity of this vulnerability?
A: The CVSS (Common Vulnerability Scoring System) score is 10.0 (High).

Q: Is there a CWE class assigned?
A: The CWE (Common Weakness Enumeration) ID of the vulnerability, in turn, is #119, i.e. Failure to Constrain Operations within the Bounds of an Allocated Memory Buffer class:
cwe.mitre.org/data/definitions/119.html

Q: Is there a CME name available?
A: No. The Common Malware Enumeration (CME) project has not assigned an identifier for these malware.

Q: When exploiting this RPC vulnerability is the authentication needed?
A: On Windows 2000, XP, and Windows Server 2003 systems arbitrary code can be run without authentication. On Vista systems the authentication is needed.

Q: What is the vulnerable component?
A: It is netapi32.dll (Net Win32 API DLL). On Windows 2000 SP4 the non-affected version is 5.0.2195.7203, on Windows XP SP3 5.1.2600.5694 and on Vista SP1 there are several 6.0.6000.xxxx versions, see KB958644 for details. The vulnerable Windows API call is NetPathCanonicalize(), in turn.
Secunia has renamed its vulnerability advisory to Windows Path canonicalisation vulnerability. It states that processing directory traversal character sequences in path names enables to send drafted RPC requests to the Server Service.

(c) Juha-Matti Laurio, Finland (UTC +2hrs)
The author has released several Microsoft Office 0-day vulnerability FAQ documents, e.g.
blogs.securiteam.com/index.php/archives/759
and Windows Vector Markup Language vulnerability FAQ’s
blogs.securiteam.com/index.php/archives/640
since 2006.

Revision History:
1.0 25-10-2008 Initial release
1.1 26-10-2008 Updated document and some minor fixes
1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference and [UPDATED] to the title
1.4 27-10-2008 Several virus description release dates and ID’s added, updated the summary to clarify the characteristics of the exploitation
1.5 28-10-2008 Added Microsoft Security Advisory #958963 link
1.6 29-10-2008 Added names to Arpoc Trojan section
1.7 03-11-2008 Updated the exploit/PoC section and added information about the worm exploiting the vulnerability
1.8 04-11-2008 Added names to RPC worm section, updated the summary
1.9 05-11-2008 Added information about Windows HOSTS file modification and new worm names

Credits: Microsoft, AV vendors, Prevx Malware Center