A new MS08-067 exploit silently made its entrance as the rest of the world was keeping watch on DOWNAD’s next step last week. In what seems to be a case of “old worm with new tricks,” the worm Neeris which has been active for a few years now was found updated with the now infamous MS08-067 exploit.
Detected by Trend Micro as WORM_NEERIS.A, the number of PCs infected by this variant reportedly spiked almost at the same time that DOWNAD was supposed to do its thing. However, despite similarities between DOWNAD and Neeris, Microsoft reports that no evidence has been found suggesting any connection between the two.
Apart from propagating through the Microsoft Server Service Vulnerability, WORM_NEERIS.A also propagates through removable drives, SQL servers, and through the instant messaging application MSN Messenger. It also drops a rootkit component, detected as RTKT.FARFLI.UW which it uses to hides its processes. This worm also opens the affected system’s port 449 and connects to a certain site where it waits for commands sent by a remote user.
If Neeris would be able to live up to the mark left by DOWNAD is anyone’s guess for now. Sadly, the fact that another threat leveraging on the same vulnerability that had just been on the global spotlight has emerged indicates that there are still users who are unable to see the importance of updating their systems. Users must realize that cyber criminals will continue to strike as long as they keep themselves vulnerable. So please, update your systems here.