NAPI Worm
Okay, it isn't really called NAPI (yet), but since it affects NetAPI, I figured it was a good name. Everyone is already blogging on this, so I'll make it short.
I'm, of course, talking about MS08-067 (CVE-2008-4250), reportedly the next big vulnerability that will take down the internet.
ISC even raised the threat level to yellow.
Thankfully I still have some friends in the botnet community and I was provided with a copy of the binary. I even put my hands on two different versions of pcap files from other sandboxes.
From what I can tell, the vulnerability was reported to Microsoft on Sept 25th, 2008. Its reportedly related to MS06-040, and some tell me that just a few minor modifications to the Metasploit module that already exists for MS06-040 will allow any script kiddy to exploit this vulnerability.
At least one proof of concept virus exists for the malware. The binaries are available on a website, meaning any "drive by" infection could force a user to download the malware, which could then turn on the internal networks.
I worked the binary for a few hours this afternoon, and found it communicating with the following domains:
The binarys are named n1.exe through n9.exe. The samples I have are:
We see the binary starts a service and creates the file %system32%\esobs.dat, which appears to be encrypted.
It also starts the service "Windows NT Baseline". Since its a service, the malware hides under svchost, so identifying the binary from the task manager is difficult.
Users who do not run as admin have a level of protection from the botnet side of the infection - though an admin user on your network could still become infected and using the exploit, infect other systems on a local network. I'd worry most about coffee shops and public internet locations.
Emerging Threats has released some publicly available signatures here.
It remains to be seen how bad this wormable code will get, but its sure to have an impact. A much better technical article than I could ever dream of writing is available here: http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx.
Microsoft reports that users with host based firewalls are not at risk - but its still a good idea to download the patch quickly. Microsoft rarely releases a patch out of band, which goes to show how important this really is.
Virustotal reports that only 1/3 of the vendors have signatures for the trojan.
I'm, of course, talking about MS08-067 (CVE-2008-4250), reportedly the next big vulnerability that will take down the internet.
ISC even raised the threat level to yellow.
Thankfully I still have some friends in the botnet community and I was provided with a copy of the binary. I even put my hands on two different versions of pcap files from other sandboxes.
From what I can tell, the vulnerability was reported to Microsoft on Sept 25th, 2008. Its reportedly related to MS06-040, and some tell me that just a few minor modifications to the Metasploit module that already exists for MS06-040 will allow any script kiddy to exploit this vulnerability.
At least one proof of concept virus exists for the malware. The binaries are available on a website, meaning any "drive by" infection could force a user to download the malware, which could then turn on the internal networks.
I worked the binary for a few hours this afternoon, and found it communicating with the following domains:
doradora.atzend.com (69.162.76.42)
perlbody.t35.com (66.45.237.219)
summertime.1gokurimu.com (59.106.116.229) (UPDATE: Thanks to Sandi for pointing out a typo in the domain name)
and IP 59.106.145.58.
The binarys are named n1.exe through n9.exe. The samples I have are:
dc3fdfde66fffb6cfbec946a237787d8 n1.exe
ccbb73c5f137335fa2a49d7f79722a6c n2.exe
3ee354cc8b63b8849b28e6f376f2b263 n3.exe
6c3e53864541bb13fa7853f7b580b807 n4.exe
24cd978da62cff8370b83c26e134ff4c n5.exe
86d75ae361637a8f9114bb3a40f710d3 n6.exe
ee70f981514803e1fb4e6b65f492a56d n7.exe
8d66f28d028a4838d09ce4b91d35b7cb n8.exe
477aac8d472a7bea8b906718a2f50c67 n9.exe
We see the binary starts a service and creates the file %system32%\esobs.dat, which appears to be encrypted.
It also starts the service "Windows NT Baseline". Since its a service, the malware hides under svchost, so identifying the binary from the task manager is difficult.
Users who do not run as admin have a level of protection from the botnet side of the infection - though an admin user on your network could still become infected and using the exploit, infect other systems on a local network. I'd worry most about coffee shops and public internet locations.
Emerging Threats has released some publicly available signatures here.
It remains to be seen how bad this wormable code will get, but its sure to have an impact. A much better technical article than I could ever dream of writing is available here: http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx.
Microsoft reports that users with host based firewalls are not at risk - but its still a good idea to download the patch quickly. Microsoft rarely releases a patch out of band, which goes to show how important this really is.
Virustotal reports that only 1/3 of the vendors have signatures for the trojan.
Labels: Botnets, Emerging Threats, metasploit, NAPI Worm, virustotal
posted by Nicholas at
02:51
0 Comments
