NEWS FROM THE LAB - Monday, October 27, 2008

Here's what has been going on with MS08-067 since Friday Posted by Toni @ 08:59 GMT

As most of you likely know, Microsoft released an out-of-band update on October 23, 2008. This usually indicates a worm-capable vulnerability when there are already in-the-wild exploits. MS08-067 is very similar to MS06-040, the netapi vulnerability few years back.

We've been working through the weekend, monitoring the situation around this vulnerability.

F-Secure Helsinki Security Lab

We did some time line analysis on Trojan-Spy:W32/Gimmiv which exploits the vulnerability. As far as we can see, the first versions of Gimmiv were compiled around the 19th of September which is well over a month ago. We also did code comparison between the variants, and mostly, the changes in the variants are because the attackers were changing parameters instead of introducing new features.

Analysis of the code inside the Gimmiv trojan clearly shows that whomever is behind it is an inexperienced coder. Their code is riddled with bugs in places where the author clearly didn't read his API documentation closely enough.

Interestingly also, Gimmiv has a self-destruction date. On the earlier samples the date was set to October 5th 2008 23:59 local time, which of course fails to work at this point, unless your computer's date is incorrectly set. On the newest samples the self-destruction date is set to November 30th 2008 23:59 local time which gives the latest round of Gimmiv a month to spread.

The weekend was really quiet. We received about a handful of Gimmiv variants and no other malware that uses the same vulnerability. Though last night, a new proof of concept for the exploit was released that targets Chinese language Windows systems. We are keeping a really close eye on the situation since all it takes is a single working "universal" public exploit for things to go downhill pretty fast.