It was quite clear that something strange was happening when everyone read the announcement of a out-of-band patch release from Microsoft. Usually Microsoft is quite rigorous when releasing patches and updates on the second Tuesday of the month. This out of the ordinary update has left lot of people wondering why it was needed.
Then, after Microsoft released security bulletin MS08-067 and the relative update KB958644, everything became more clear. A critical vulnerably has been detected in the Windows Server service, when handling RPC requests. A critical hole similar to the one used by older Blaster and Sasser worms, an hole that could have opened doors for the return of Worms (with capital W).
Why did Microsoft release this update in such a hurry? It's easily explained. Sure, it's a dangerous vulnerability, but the matter is that it has been used by some malware for targeted attacks.
After the exploit has been discovered, Microsoft decided to release an out-of-band update.
This vulnerability is present all Microsoft Windows operating systems starting from Windows 2000 (2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista SP1, Server 2008). Ironically, even Microsoft's new operating system Windows 7 pre-beta is vulnerable and needed an update.
On all operating systems prior to Windows Vista (so, Windows 2008 and Windows 7 are excluded) the vulnerability allows the execution of arbitrary code remotely. On Windows Vista and further, the attack must be run from an authenticated user.
[...]
On a side note, Gimmiv.A looks like a test build. Its code is not optimized, redundant and there are lots of debug output strings. These are all details that could mean this malware was intended as a beta or debug release, to use for targeted attacks but still not fully tested.-----------------------------------
That last paragraph is new to me, I haven't heard that from other vendors that released information on the worm. If they did, then I have missed it up to now.
It makes sense however.
When the vulnerability was released, I figured we had a good week before a reliable public exploit was created (perhaps RCE'd from the patch itself) and some kid threw it in a worm framework. I knew vulnerability researching would be working on it in short order, but I also knew that the likelihood of them releasing a worm from was small. But a worm was released almost the same day as the patch...which was a bit unexpected in my book.
This can only mean that someone had this worm...and that they were sitting on it (or had used it as part of the original targeted attacks). Once they saw the cat was out of the bag, they released it to the world to make noise and cover their work. Hence, the unpolished debug code.
If you haven't patched, do it now....
No comments:
Post a Comment