Security Bytes

Nov 26 2008   10:34AM GMT

New worm attacking MS08-067 vulnerability

David Schneier David Schneier Profile: David Schneier

More than a month after releasing an emergency patch for the MS08-067 RPC vulnerability, Microsoft on Tuesday warned that it is seeing increased levels of attack activity against the flaw. The company said there is a new worm, being called Win32/Conficker.A, which is exploiting the RPC flaw and spreading in both enterprises and in home-user environments. Conficker opens a random TCP port between 1024 and 10000 and then starts exploiting the MS08-067 vulnerability on other PCs on the network.

Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.

This is the second piece of automated malware that has cropped up to attack the MS08-067 weakness. In the days immediately following Microsoft’s release of the patch last month, a worm called Gimmiv appeared and began exploiting the same flaw. The level of attacks against this particular flaw aren’t surprising, given the fact that it exists in every supported version of Windows and was severe enough for Microsoft to issue one of its unusual out-of-band patches.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: