Password-Stealing Trojan Spreads Through Latest Windows Zero-Day Vulnerability
A critical security hole fixed by Microsoft with Security Bulletin MS08-067 is actively exploited in the wild by a new password-stealing Trojan. Next to gathering and stealing Windows Live-, Protected Storage- and Microsoft Outlook-credentials which are phoned home to China, the Trojan downloads an additional exploit component from the Internet.
The Trojan exploits the above mentioned vulnerability on attacked hosts and causes the shellcode to download the very same Trojan from the Internet onto the victim’s computer and immediately executes it in place. This new infected system then again downloads the exploit component to infect other systems and the whole worm-like process starts from scratch.
Security researchers had identified the new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.
Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.
The vulnerability lies in the Windows Server service used to connect with other devices on networks. Although the firewall software that ships with Windows will block the worm from spreading, security experts are worried that the flaw could be used to spread infections between machines on local-area networks, which are not typically protected by firewalls.
The Gimmiv is downloaded onto a target machine via social engineering and then proceeds to scan and exploit machines on the same network, using this newly disclosed vulnerability in the Windows Server service. The worm then loads software that steals passwords, security experts say.
Both Symantec and McAfee Inc. said today that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting yesterday evening, it found a 25% jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.
That scenario becomes more likely, too, as more tools that exploit the flaw are released to the public. Sample exploit code was posted to the Milw0rm site two days ago, and over the next few days hackers are expected to move that code into attack tools that are easy to use. The attack code will most likely be used soon to build botnet networks of infected computers.
Users should deploy the provided patches from Microsoft as soon as possible. Furthermore the attack could be mitigated by blocking incoming TCP connection on ports 139 and 445 in the firewall. Vulnerable services are “Computer Browser Service” and “Server”, both can be stopped and disabled in case the PC is not a part of a network. Inside attack scenarios could be mitigated by deploying a desktop firewall and disabled file/printer sharing.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.