Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS08-067 Worm on the Loose

Published: 2008-12-31
Last Updated: 2008-12-31 14:26:41 UTC
by David Goldsmith (Version: 1)
3 comment(s)

Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067

It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.

David Goldsmith

Keywords:
3 comment(s)
Diary Archives