MS08-067 - Gimmiv.A exploits Windows bug
Posted by: Marco Giuliani
Then, after Microsoft released security bulletin MS08-067 and the relative update KB958644, everything became more clear. A critical vulnerably has been detected in the Windows Server service, when handling RPC requests. A critical hole similar to the one used by older Blaster and Sasser worms, an hole that could have opened doors for the return of Worms (with capital W).
Why did Microsoft release this update in such a hurry? It's easily explained. Sure, it's a dangerous vulnerability, but the matter is that it has been used by some malware for targeted attacks.
After the exploit has been discovered, Microsoft decided to release an out-of-band update.
This vulnerability is present all Microsoft Windows operating systems starting from Windows 2000 (2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista SP1, Server 2008). Ironically, even Microsoft's new operating system Windows 7 pre-beta is vulnerable and needed an update.
On all operating systems prior to Windows Vista (so, Windows 2008 and Windows 7 are excluded) the vulnerability allows the execution of arbitrary code remotely. On Windows Vista and further, the attack must be run from an authenticated user.
Let's explain this better. After Blaster (2003) and Sasser (2004), users have learned that the system must be reachable from remote to be exploitable by everyone. However, even with a standard firewall using default settings, ports 139/TCP and 445/TCP are usually filtered, preventing by design the attack. Everyone is surfing the web behind a router, behind NAT, won't be directly reachable from the outside unless there is specific router rules pointing to the vulnerable ports (Port forwarding).
Even inside a company, users are usually not reachable by the outside. Anyway, the problem inside companies are the local LAN, where the exploit can be widely used.
Let's go more in depth on the analysis of this malware used for targeted attacks.
Malware, named Gimmiv.A, is composed by a number of parts.
Main dropper is called n[x].exe, where [x] is a number from 1 to 9. After Executed, the dropper creates the file sysmgr.dll in the directory %windows%\system32\wbem. This dll is the real heart of the malware.
To execute itself at Windows startup, this malware adds a Windows service:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysmgr
and it teaches svchost to load sysmgr.dll.
Then, malware sends an ICMP Echo Request to 202.108.22.44 and 64.233.189.147. The string sent is abcde12345fghij6789.
After this step, the malware starts the real routine. After this has been analyzed, the malware can be clearly identified as a Trojan.
Gimmiv checks the presence on the infected PC of following security software:
Moreover, it checks running processes looking for avp.exe or for every process that has the string 'avp' in its name. Then, the operating system version is detected.
After this first part is finished, the malware starts its data stealing routine.
It collects a number of private data like Outlook Express identities, credentials inside Windows Protected Storage, MSN Messenger passwords, Microsoft installed patches, installed software by enumerating CLSID registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID), recent files (by looking at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Recent registry key).
All information are then crypted with AES algorithm and uploaded to a remote website.
Gimmiv could create other files inside %windows%\system32\wbem directory, inetproc[n]x.cab (where [n] is the same number of the dropper n[x]) and scm.bat.
Then, the trojan downloads and copies inside the same directory 3 files: basesvc.dll, syicon.dll, winbase.dll.
basesvc.dll, on all, is the most interesting part of the malware because it's the one which is exploiting MS08-067 vulnerability.
More in detail, the function NetPathCanonicalize of Windows library netapi32.dll is vulnerable to a stack overflow attack. Sending a malformed RPC request with a specified path, the bug is triggered and the attacker is able to download files inside the vulnerable machine.
On a side note, Gimmiv.A looks like a test build. Its code is not optimized, redundant and there are lots of debug output strings. These are all details that could mean this malware was intended as a beta or debug release, to use for targeted attacks but still not fully tested
Prevx CSI is able to detect and remove the infection.
It's necessary to immediately update your Windows operating system, using Windows (or Microsoft) Update. If you don't use them, the patch can be downloaded from here.
