SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


MS08-067 exploit in wild (Oct 23, 2008)



Description


Today SonicWALL UTM Research team received samples using the newly patched MS08-067 - Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as "sysmgr (System Maintenance Service)" and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

  • summertime.1gokurimu.com
  • doradora.atzend.com
  • perlbody.t35.com
  • 59.106.145.58


The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.


It also performs following registry modifications:

  • Creates key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Sets value "ServiceDll"="C:\WINDOWS\SYSTEM32\wbem\sysmgr.dll" in key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Sets value "ServiceMain"="ServiceMainFunc" in key "HKLM\System\CurrentControlSet\Services\sysmgr\Parameters".
  • Creates key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost".
  • Sets value "sysmgr"="sysmgr" in key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost".
  • Sets value "I"="" in key "HKLM\System\CurrentControlSet\Services\sysmgr".
  • Sets value "DisplayName"="System Maintenance Service" in key "HKLM\System\CurrentControlSet\Services\sysmgr".

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.


Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.23 | S2MSW02