林剑
新手上路
积分 1
发帖 1
注册 2007-6-12
|
#1 利用ms08067漏洞的病毒微点杀
| Quote: | 【高危】 利用MS08-067漏洞的病毒
Tags: 漏洞
。。今天一大早就从精英群EQ的口中知道了这个消息
然后我们全部DZ成员都在下这个病毒
因为这个网站上全是H 被大陆屏蔽
此样本为最新截获的样本 Gimmiv Worm
BitDefender Dropped:Win32.Worm.Gimmiv.A
最后总结。。下这个病毒 真难。。。
引用:
MS08-067 Gimmiv Worm
Submitted by dannyquist on Sat, 2008-10-25 01:59.
Here is the Gimmiv worm that was created for the latest Microsoft patch. Kudos to Microsoft for patching the flaw out of band and not sitting on it.
d65df633dc2700d521ae4dff8c393bff
Please comment if you upload other samples and I will update this post.
? dannyquist's blog | add new comment
n1-n9
Submitted by Dobby on Sat, 2008-10-25 05:50.
dc3fdfde66fffb6cfbec946a237787d8 n1.exe_
f173007fbd8e2190af3be7837acd70a4 n2.exe_
3ee354cc8b63b8849b28e6f376f2b263 n3.exe_
6c3e53864541bb13fa7853f7b580b807 n4.exe_
24cd978da62cff8370b83c26e134ff4c n5.exe_
86d75ae361637a8f9114bb3a40f710d3 n6.exe_
ee70f981514803e1fb4e6b65f492a56d n7.exe_
8d66f28d028a4838d09ce4b91d35b7cb n8.exe_
477aac8d472a7bea8b906718a2f50c67 n9.exe_
解压密码:infected
[ 本帖最后由 spicalhook 于 2008-10-26 17:07 编辑 ]
附件
TR.Gimmiv.A.zip (1.52 MB) |
|
| Quote: | The malware detected as Win32.Worm.Gimmiv.A drops in %system32%\wbem\ the following files: basesvc.dll, winbase.dll, syicon.dll.
The winbase.dll file is then registered as a service, and, after it's started up, it loads basesvc.dll and syicon.dll into the memory.
After loading the mentioned DLLs, the worm starts collecting information from the infected system, such as the user name and password, the locally installed antivirus products and usernames and passwords from Outlook Express and MSN Messenger.
Basesvc.dll is then using the MS08-067 exploit, a vulnerability of a Server service on Windows, and through various RPC requests attempts to replicate the worm onto the network machines.
It uses the srvsvc pipe as an RPC interface, registered with the UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188 for remote code execution in order to be able to propagate and execute onto every vulnerable system.
The most affected systems are those that run Windows 2000, Win XP, and Windows Server 2003 as operating systems, with the firewall disabled or with exceptions on the firewall for File and printer sharing. |
|
| Quote: | Yesterday was all abuzz about a new vulnerability patch from Microsoft, released out of their normal schedule of Patch Tuesday. MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution (958644) was released at 1pm US Eastern to address very major issues. Everyone should review the patch, do some testing, and update ASAP. We’re hearing some reports of WiFi driver issues post patching, so do your prep work on this one. We know the issue affects all of the major, common versions of Windows:
Windows XP
Windows 2003
Windows Vista
Windows 2008 Server
The patch was made out of the normal cycle because malcode was on the loose using the vulnerability to spread. Specifically, this vulnerability is a buffer overflow in an unauthenticated Windows SMB file sharing session on TCP ports 139 or 445 in the Windows API call NetPathCanonicalize(). A malicious client can bind to the service and issue a request with an overly long argument, overflowing a buffer and possibly executing arbitrary code on the vulnerable server. This is how the malcode is getting onto systems.
The vulnerability is on TCP ports that see a lot of scanning, but we can baseline the activity to look for spikes. Here’s 30 days of activity for TCP ports 139 and 445 from ATLAS; we’re not seeing a huge scanning spike:
TCP port 139 scanning activity
TCP port 445 scans
While highly wormable — on by default, exploit code is now out, etc — it’s not a Sasser-like situation. Thankfully. This is likely to be mitigated by things like the default firewall in XP SP2 and the like. But we are seeing some malcode on that service.
The Gimmiv family of malware is propagating by exploiting MS08-067. We first received samples related to this family of malware on 2008-10-08 using reports from a trusted partner, so this was fully two weeks before the patch release. Samples we have analyzed are NOT packed with any Windows PE packer, which is more uncommon these days. Once the malcode is on the system, it drops the following files:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\macnabi.log
C:\WINDOWS\system32\wbem\basesvc.dll
C:\WINDOWS\system32\wbem\syicon.dll
C:\WINDOWS\system32\wbem\winbase.dll
It then contacts three HTTP servers with GET requests:
doradora.atzend.com
perlbody.t35.com
summertime.1gokurimu.com
The malcode then creates several new files:
C:\Documents and Settings\User\Local Settings\Temp\FPMOOWRB.bat
C:\WINDOWS\system32\wbem\sysmgr.dll
C:\WINDOWS\system32\basesvc.dll
C:\WINDOWS\system32\inetproc02x.cab
C:\WINDOWS\system32\install.bat
C:\WINDOWS\system32\scm.bat
C:\WINDOWS\system32\syicon.dll
C:\WINDOWS\system32\winbase.dll
C:\WINDOWS\system32\winbaseInst.exe
The Windows Batch File above is run using cmd.exe. It also sends an ICMP Echo Request packet to multiple IP addresses, using a unique payload: “abcde12345fghij6789″. This is done via the Win32 API call IcmpSendEcho().
Finally, it shuts down the System Manager service using a shell command (calling out to cmd.exe).
The malware’s main purpose is to steal information from the infected user’s host.
Static analysis of the malcode binaries reveals additional interesting data. First, the malcode contains multiple IP addrseses hardcoded into it: 212.227.93.146, 64.233.189.147, and 202.108.22.44. The malode references some VBS files, msrclr40.vbs and nkzclear.vbs, and contains some VBS strings:
WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"
oFS.CreateFolder "%s"
%s\%s
WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"
%s\%s
WScript.Sleep 5
Dim oFS
set oFS = WScript.CreateObject("Scripting.FileSystemObject")
oFS.DeleteFile "%s"
oFS.CreateFolder "%s"
oFS.CopyFile "%s", "%s\"
oFS.DeleteFile "%s"
oFS.DeleteFile "%s"It also contains a CLSID for the credentials DLL, consistent with a credential theft tool. This has been used to grab decrypted passwords from MSN Messenger, for example. This format string batch is also present, suggesting a possible log structure:
===============Outlook Express===============
===============Credential Info================
============Protected Storage Info=============
ID:
Pass:
URL:In short, not a hugely wormy piece of software, but instead a typical infostealer Trojan.
What’s very interesting about this malcode, even from a quick review of it, is that the malcode doesn’t make use of a lot of Windows APIs consistently, suggesting this was quickly mashed together. Why use “/c reg delete “HKLM\SYSTEM\CurrentControlSet\Services\%s” /f” when you can use the Windows Registry API directly? This doesn’t jive with the notion that the idea that the author(s) were able to develop a new, 0day functional exploit, even from fuzzing. This leads me to suspect they stole it from someplace else and bolted it - crudely - into this malcode. If that’s true, then there’s someone using this as a 0day prior to this patch release and all of this attention. Anyone have attack logs that would suggest 0day activity outside of this malcode? |
|
[ Last edited by 林剑 on 2008-10-26 at 18:33 ]
附件
1:
1.JPG
(2008-10-26 18:02, 24.31 K,下载次数: 29)
| |
※ ※ ※ 本文纯属【林剑】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
 |
|
