Bots exploiting Microsoft's latest RPC flaw

Systems not yet patched for a recently announced flaw are vulnerable to a trio of malware that could enlist the compromised computer to attack sites in China.

Several antivirus vendors are reporting on Monday a new round of exploitation of Microsoft's out-of-cycle security bulletin last month. The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predict any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.

Ken Dunham of iSIGHT Partners said his company was looking at three samples of interest.

One is what F-Secure is calling Rootkit.Win32.KernelBot.dg; another is what Symantec calls W32.Wecorl. A third appears to be a weak variant of the Wecorl. "All appear to be related to bots, components for building a botnet, than the Gimmiv Trojan, one of the first to exploit the vulnerability in MS08-067 and was used to steal personal information.

Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what we're seeing today are not worms, but autorooters, which are still a manual process but are nonetheless a major step toward automating the code.

The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the Internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice." Dunham said so far he's seen a back door version of the eMule client application installed along with a few other files. This gives the criminal anonymous access and control to the compromised machine and makes it part of a larger botnet . So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.

Tags:
Security
About the author

    As CNET's former resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security.

     

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments
    Latest Galleries from CNET
    Tech industry's high-flying 2014
    Uber's tumultuous ups and downs in 2014 (pictures)
    The best and worst quotes of 2014 (pictures)
    A roomy range from LG (pictures)
    This plain GE range has all of the essentials (pictures)
    Sony's 'Interview' heard 'round the world (pictures)