*MS06-040 exploit in the wild

Published: 2006-08-13
Last Updated: 2006-08-13 17:57:47 UTC
by Swa Frantzen (Version: 7)
0 comment(s)
We have caught a live exploit against a Windows 2000 Server. The pcap packets of the exploit fire the signatures in snort for the vulnerability described in MS06-040.

We have multiple independent sources of reports at this time.

It looks like it's building a botnet (as we expected).
Signs defenders should look for:
  • Filename: wgareg.exe, MD5: 9928a1e6601cf00d0b7826d13fb556f0 (this is the bot)
  • Incoming traffic on 445/TCP but there is a lot of background noise on that port.
  • Snort signatures firing on:
    • BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)  [Bleedingsnort]
    • NETBIOS SMB-DS srvsvc NetrPathCanonicalize little endian overflow attempt [Sourcefire VRT]
  • Outgoing traffic to bniu.househot.com:18067 (Command and Control center, multiple IPs, IRC)
  • Outgoing traffic to ypgw.wallloan.com:18067 [we haven't seen those ourselves but do have multiple independent sources confirming it]
  • Outgoing traffic to port 445/TCP (scanning for victims and exploiting them)
Since this is a botnet, these bots might do much more depending on what the controller has in store for them. So unfortunately you basically only have the choice to clean them by wiping the disk if you ever want to trust the machines again.

Please do not ask for samples at this point.
We have shared it with the usual anti-virus vendors already.

Should you find other activity of these bots or differing MD5, we would very much appreciate a copy at the contact page.

We ran the bot through virustotal:
Scan results
File: wgareg.exe
Date: 08/13/2006 03:03:43 (CET)
AntiVir found [HEUR/Crypted.Layered]
Authentium 4.93.8/20060812 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
Avast 4.7.844.0/20060810 found nothing
AVG 386/20060811 found nothing
BitDefender 7.2/20060813 found [Generic.Malware.IXdld.658BDD6B]
CAT-QuickHeal 8.00/20060812 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060813 found nothing
DrWeb 4.33/20060812 found nothing
eTrust-InoculateIT 23.72.94/20060812 found nothing
eTrust-Vet 30.3.3012/20060811 found nothing
Ewido 4.0/20060812 found nothing
Fortinet found nothing
F-Prot 3.16f/20060811 found [Possibly a new variant of W32/Threat-HLLIM-based!Maximus]
F-Prot4 found [W32/Threat-HLLIM-based!Maximus]
Ikarus found nothing
Kaspersky found nothing
McAfee 4827/20060811 found nothing
Microsoft 1.1508/20060804 found nothing
NOD32v2 1.1704/20060811 found [a variant of Win32/IRCBot.OO]
Norman 5.90.23/20060811 found [W32/Suspicious_M.gen]
Panda found [Suspicious file]
Sophos 4.08.0/20060812 found nothing
Symantec 8.0/20060813 found nothing
TheHacker found nothing
UNA 1.83/20060811 found nothing
VBA32 3.11.0/20060811 found nothing
VirusBuster 4.3.7:9/20060812 found nothing
wgareg.exe messes in the windows registry. One of the things it adds is a description of itself: "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.". Right ... It also appears to change settings related to firewalls and sharing.

LURHQ has also a story on the same by Joe Stewart and they also found a variant of the binary with a different MD5 and slightly different behaviour.

Thanks to all involved: William, Jim, Scott, Dan and all those I forgot.

Swa Frantzen -- Section 66
0 comment(s)


Diary Archives