Malaysian Computer Emergency Response Team

Services

Advisories Cyber999 Help Centre Malware Research Centre Incident Statistics

MyCERT Statistic

Reported Incidents based on General Incident Classification Statistics 2010

Help Centre

Reporting Channels

MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2008

MA-142.122008 : MyCERT Special Alert - MS08-067 related malware

Original Issue Date: 3rd December 2008

1.0 Introduction

Microsoft has recently released an out of band patch on 23rd October to mitigate the effect of the vulnerability described as MS08-067 vulnerability. MyCERT is aware that the vulnerability is actively exploited by worms and bots in the wild.

The malicious code is known as the followings and varies depending on the AV vendor :

W32.Downadup [Symantec]
Downloader.Agent.APKO [AVG]
Worm.Downloader.JLIW [BitDefender]
Worm:W32/Conficker.A [F-Secure]
W32/Conficker.worm [McAfee]
Worm:Win32/Conficker.A [Microsoft]
W32/Conficker.A.worm [Panda]
W32/Confick-A [Sophos]
WORM_DOWNAD.A [Trend Micro]
Worm.Disken.B (worm) [VirusBuster]

2.0 Impact

The malicious code propagates over TCP port 445.

The infected machine uses port 139 to connect to port 445 of the infecting machine to download the latest updated version of the malicious code and the updated IP addresses of other infected machines.

The infected machine are used to spread the malware further by scanning for other targets. The malicious code will check for the IP of the machine. It will then start an HTTP server on the machine and host the malicious code.

If other machines have been infected, it will then connect to the attacking machine in order to download the latest update of the botnet code.

With the effect of the aforementioned propagation technique, the creator of the malicious code have hosted the code on numerous URLs. Users are advised to block the URL and keep updated on the latest list.

3.0 Affected Products

All versions of Windows 2000, Windows Server 2003 SP1 & SP2, and Windows XP SP2.

4.0 Recommendation

MyCERT recommends that users patch their Microsoft Windows system immediately.
Block access to port 445 & 139
Update the security software (Antivirus, Firewall, IPS) in the machine to the latest version.
Check for suspicious DLL files under the Windows System directory (usually C:\Windows\System32) with the size of 62,976 bytes

5.0 References

http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://isc.sans.org/diary.html?storyid=5275
http://www.f-secure.com/weblog/archives/00001526.html
http://www.virustotal.com/analisis/c9418560fcd20f44800111486cf475b3

Users and organizations could contact MyCERT for further assistance or questions.

MyCERT can be reached at:

E-mail : mycert@mycert.org.my
Phone : +603 89926969 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : +60 19 2813801 (24x7 SMS reporting)
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

Revision History:
Initial Release: 3rd December 2008