Daily cyber threats and internet security news: network security, online safety and latest security alerts
October 26th, 2008

Password-Stealing Trojan Spreads Through Latest Windows Zero-Day Vulnerability

A critical security hole fixed by Microsoft with Security Bulletin MS08-067 is actively exploited in the wild by a new password-stealing Trojan. Next to gathering and stealing Windows Live-, Protected Storage- and Microsoft Outlook-credentials which are phoned home to China, the Trojan downloads an additional exploit component from the Internet.

The Trojan exploits the above mentioned vulnerability on attacked hosts and causes the shellcode to download the very same Trojan from the Internet onto the victim’s computer and immediately executes it in place. This new infected system then again downloads the exploit component to infect other systems and the whole worm-like process starts from scratch.

Security researchers had identified the new worm, called Gimmiv, which exploited the vulnerability, and a hacker had posted an early sample of code that could be used to exploit the flaw on the Web.

Microsoft issued the patch more than two weeks ahead of its next security updates because the bug could be used to create an Internet worm attack and Microsoft had already seen a small number of attacks that exploited the flaw.

The vulnerability lies in the Windows Server service used to connect with other devices on networks. Although the firewall software that ships with Windows will block the worm from spreading, security experts are worried that the flaw could be used to spread infections between machines on local-area networks, which are not typically protected by firewalls.

The Gimmiv is downloaded onto a target machine via social engineering and then proceeds to scan and exploit machines on the same network, using this newly disclosed vulnerability in the Windows Server service. The worm then loads software that steals passwords, security experts say.

Both Symantec and McAfee Inc. said today that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting yesterday evening, it found a 25% jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

That scenario becomes more likely, too, as more tools that exploit the flaw are released to the public. Sample exploit code was posted to the Milw0rm site two days ago, and over the next few days hackers are expected to move that code into attack tools that are easy to use. The attack code will most likely be used soon to build botnet networks of infected computers.

Users should deploy the provided patches from Microsoft as soon as possible. Furthermore the attack could be mitigated by blocking incoming TCP connection on ports 139 and 445 in the firewall. Vulnerable services are “Computer Browser Service” and “Server”, both can be stopped and disabled in case the PC is not a part of a network. Inside attack scenarios could be mitigated by deploying a desktop firewall and disabled file/printer sharing.

Share this item with others:

More on CyberInsecure:
  • Login And Password Stealing Trojan Masquerades As Firefox Plug-in
  • Fake Sex Scandal Spam Campaign Involving Barack Obama Spreads Malware
  • Zero-day Microsoft Windows NSlookup.exe Vulnerability Exploited In The Wild
  • Nobel Peace Prize Website Compromised, Infects Visitors Through Zero-Day Firefox Vulnerability
  • Another Worm Exploiting MS08-067 Windows Flaw Spotted In The Wild

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Password-Stealing Trojan Spreads Through Latest Windows Zero-Day Vulnerability

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.