After last month’s ruckus made by Microsoft’s out-of-band patch, another threat leveraging the MS08-067 vulnerability was recently reported to have been causing more trouble in the wild.
A worm detected by Trend Micro as WORM_DOWNAD.A was found to use the MS08-067 vulnerability to propagate via networks. Trend Micro researchers also noticed high traffic on the affected system’s port 445 upon successful exploitation, after which it connects to a certain IP address to download a copy of itself.
The discovery of this threat is consistent with the spike in port 445 activity reported by DShield. Port 445 has raised security concerns in the past, as the port was used by the Sasser and Nimda worms that wreaked havoc years ago.
However, this worm seems to be just one half of a worm duo that is spreading trouble these days. Systems affected with WORM_DOWNAD.A were found also infected by another worm, detected as WORM_NETWORM.C. WORM_NETWORM.C also exploits MS08-067, attempts to log in to affected systems though a list of strings, and also opens port 445 to connect to certain IP addresses.
The relation between WORM_DOWNAD.A and WORM_NETWORM.C is still undetermined, but it is likely that both worms are key components in the development of a new botnet. Botnet operators were predicted to change ways after web host McColo was shut down earlier this month, and this may just be it.
Botherders are finding spam operations that employ hosts such as McColo too much of a risk. Considering that a shutdown such as what happened with McColo may strike a killer blow to a botherder’s operation, herders are using other means to gather zombies for their botnets. Advanced Threats Researcher Ryan Flores says, “I think botherders are refreshing their bot networks with new machines through this new exploit.”
Users are already protected from this threat through the Smart Protection Network, and as if it couldn’t be stressed enough, everyone is advised to update their systems with the patch provided by Microsoft.
Updated 8:57 PM, PST: Upon further analysis, our engineers have determined that there is no solid evidence to verify the relationship between the two worms. They postulate that the only possible relationship between DOWNAD and NETWORM, considering that NETWORM fails to send the shellcode, is that DOWNAD may be an updated version of an attack orginating from the same botnet gang.