Earlier today, Microsoft released a security bulletin regarding a critical vulnerability in the Server Service, which allows an attacker to perform remote code execution by sending a specially crafted RPC request on a target system. This vulnerability may be used by malicious users in crafting a wormable exploit, which may, should hackers design it so, render corporate networks clogged and virtually unusable. According to Microsoft, they released this security bulletin outside of their monthly release cycle to protect their customers from any attempted attacks related to this flaw.
Not long after the release, TrendLabs received reports of a zero-day exploit that takes advantage of this vulnerability. According to Trend Micro Advanced Threats Researcher Paul Ferguson, this exploit downloads a malicious file from a specific IP address. We now detect the downloaded file as TSPY_GIMMIV.A. Based on initial analysis, this spyware has routines that involves the checking of the registry for entries related to antivirus software, possibly in an attempt to avoid detection.
The span of time between the discovery of the exploits and reports of the vulnerability is much too narrow that researchers have reason to believe that the vulnerability was first known to the hackers. Hackers may have already been actively exploiting this bug days before Microsoft got wind of the vulnerability. Note that patch Tuesday was released just a little over a week ago. But kudos to Microsoft for delivering this immediate solution to prevent more users from becoming victims.
Trend Micro Smart Protection Network already blocks the malicious URL where this spyware is downloaded from. We highly recommend users to immediately update your computers and download the fix patch provided by Microsoft.