Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-11-03 InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS08-067 Worm in the wild?

Published: 2008-11-03
Last Updated: 2008-11-04 14:20:19 UTC
by Joel Esler (Version: 6)
0 comment(s)

UPDATE 2:  After waking up this morning and reading my email, I've noticed that there are at least 2 variants of a worm spreading using the MS08-067 vulnerability.  One of the variants spreads through exploit and through at least one P2P Network (Emule). 

From what I can see, there is scanning that takes place on port 139 to find other machines, and the exploit takes place over port 445.  This is the primary method of spreading.  I would suggest, if you haven't already, to block these ports at your outer firewall.  That will keep it from getting in via network exploitation, now you just have to worry about things like VPN users, people bringing it in from home on their laptops, etc.  All the usual suspects. 

Make sure your systems are fully patched, make sure you have the latest virus definitions, make sure your firewalls are secure, make sure your IDSs are updated to detect the threat.

I think these are the first couple worms in a series of worms that we will see, each getting more sophisticated.  So, unless something new comes up, I won't update this diary entry anymore.


UPDATE 1:  The "Worm" appears to be spreading over local network.  Port 445.

Speaking from a Snort perspective, as pointed out in the VRT blog, not only does this worm trigger off of the new rules that Sourcefire has written for Snort for the newest 08-067 vulnerability, but this particular variant of the worm triggers an older rule that VRT wrote for 06-040.  (Since this worm uses one of the milw0rm exploits).  1:7224.

I took a pcap that we received of the worm traffic on port 445 ran it through Snort.  The following rules alerted:

[1:7224:8] NETBIOS SMB-DS srvsvc NetrPathCanonicalize unicode little endian overflow attempt

[3:14817:1] NETBIOS SMB srvsvc NetrpPathCononicalize unicode little endian path cononicalization stack overflow attempt

[3:14783:1] NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrpPathCononicalize little endian path cononicalization stack overflow attempt

The first one is the 06-040 rule that I was telling you about above, the send two are shared object rules written for this vulnerability.  The rules are available here.

Stay tuned, as I will attempt to keep you updated.



We have received a report of a wild MS08-067 worm.


Reported file size 16,384 bytes:

Kaspersky Lab detect the new wave as

and Microsoft as

Sophos uses name Mal/Generic-A.

Much thanks to Juha-Matti for sending us an email.

-- Joel Esler

0 comment(s)

Day 34 -- Feeding The Lessons Learned Back to the Preparation Phase

Published: 2008-11-03
Last Updated: 2008-11-03 17:25:58 UTC
by Joel Esler (Version: 1)
0 comment(s)

This, being the last day of CyberSecurity Awareness Month, here's your last topic for 'food for thought'.

Today's topic is "Feeding the Lessons Learned Back to the Preparation Phase".

Once you completed your project, once you've made your "Cyber" Secure, how can you help out the next phase?  How can you not only help out your own company, but other companies as well?  Other companies, other parts of your company, could be about to go through the project that you just went through.  Deploying an IDS?  Deploying a Firewall?  How can you make the job that you just performed easier on the next guy?

There are always some mistakes made in the process, how can you make your process mistake free next time? 

Please submit your thoughts via the contact page.


-- Joel Esler

Keywords: Awareness2008
0 comment(s)
Diary Archives