Prevx Blog

Nov 4th

MS08-067 exploited by Worm.KernelBot

Posted by: Marco Giuliani

Bookmark Now

Here at Prevx Research Lab we were expecting this. It was just a matter of time before seeing a worm that makes use of MS08-067 vulnerability.

During these hours we have isolated a new malware, called KernelBot. We have seen this malware for the first time on 28th October and it most likely comes from China.

The worm comes with a file called 6767.exe or KernelDbg.exe. Once executed, it checks running processes for:

  • safeboxtray.exe
  • avp.exe
  • RSTray.exe

and it sets following values under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\safemon:

  • [UDiskAccess] = "0"
  • [ExecAccess] = "0"
  • [IEProtAccess] = "0"
  • [LeakAccess] = "0"
  • [MonAccess] = "0"
  • [SiteAccess] = "0"

so that it can deactivate security settings of 360Safe security software.

Then it terminates following processes, along with their relative threads:

  • 360rpt.exe
  • 360Safe.exe
  • 360Tray.exe
  • safeboxTray.exe
  • Iparmor.exe
  • USBSAFE.exe
  • ast.exe

and it tries to delete following startup values from HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run:

  • 360Safetray
  • 360Safebox
  • 360Antiarp
  • runeip
  • Iparmor

KernelBot then creates the following files inside Windows System directory, adding hidden flags and setting their timestamp to the same values of winlogon.exe:

  • compbatc.sys
  • compbatc.exe
  • compbatc.zip
  • compbatc.dll
  • compbatc.ocx
  • compbatc.ini

Files could also be called (as observed):

  • vvebc1nt.sys
  • vvebc1nt.exe
  • vvebc1nt.zip
  • vvebc1nt.dll
  • vvebc1nt.ocx
  • vvebc1nt.ini

The malware then creates these service keys under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services:

  • [8 numeri]
  • compbatc
  • compbatcDrv

It deletes registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

After this first step, the malware is able to start its payload routine. To do this, it inject its code inside svchost.exe process. Moreover, it starts a number of new svchost.exe processes too, and then injects its code over them.

KernelBot is able to get commands from a remote server. It downloads a list of commands from ushealthmart.com website created by the attackers and then executes them.

It can autoupdate itself, download and execute new files and run DDoS attacks against specified targets. It's able to run TCP,UDP,SYN,HTTP flood attacks. Every command is just written inside the configuration file downloaded from the malicious website.

At the moment KernelBot is downloading NetGuy5.exe, which is the malware component that exploits MS08-067 vulnerability to spread inside local networks.

Moreover, a custom release of eMule is download by the malware. This version is configured to spread through peer to peer a fake movie which is the copy of itself.

KernelBot then adds following hosts inside HOSTS file:

  • 127.0.0.1 www.360Safe.com
  • 127.0.0.1 www.360.cn
  • 127.0.0.1 bbs.360safe.com
  • 127.0.0.1 baike.360.cn
  • 127.0.0.1 kaba.360.cn
  • 127.0.0.1 bbs.360.cn
  • 127.0.0.1 360.cn
  • 127.0.0.1 forum.ikaka.com
  • 127.0.0.1 tool.ikaka.com
  • 127.0.0.1 file.ikaka.com
  • 127.0.0.1 update.ikaka.com
  • 127.0.0.1 bbs.ikaka.com
  • 127.0.0.1 bbs.janmeng.com
  • 127.0.0.1 www.ikaka.com
  • 127.0.0.1 forum.jiangmin.com
  • 127.0.0.1 update.rising.com.cn
  • 127.0.0.1 online.rising.com.cn
  • 127.0.0.1 center.rising.com.cn
  • 127.0.0.1 www.rising.com.cn
  • 127.0.0.1 fw.rising.com.cn
  • 127.0.0.1 csc.rising.com.cn
  • 127.0.0.1 buy.rising.com.cn
  • 127.0.0.1 sos.rising.com.cn
  • 127.0.0.1 download.rising.com.cn
  • 127.0.0.1 help.rising.com.cn
  • 127.0.0.1 go.rising.com.cn
  • 127.0.0.1 up.duba.net
  • 127.0.0.1 bbs.duba.net
  • 127.0.0.1 shadu.baidu.com
  • 127.0.0.1 www.kztechs.com
  • 127.0.0.1 security.symantec.com
  • 127.0.0.1 shadu.duba.net
  • 127.0.0.1 online.jiangmin.com
  • 127.0.0.1 cn.mcafee.com
  • 127.0.0.1 bbs.mcafeefans.com
  • 127.0.0.1 mcafeefans.com
  • 127.0.0.1 www.ahn.com.cn
  • 127.0.0.1 www.kaspersky.com.cn
  • 127.0.0.1 www.kaspersky.com
  • 127.0.0.1 www.pcav.cn
  • 127.0.0.1 www.vrv.com.cn
  • 127.0.0.1 bbs.sucop.com
  • 127.0.0.1 www.sucop.com
  • 127.0.0.1 sucop.com
  • 127.0.0.1 bbs.cpcw.com
  • 127.0.0.1 www.shudoo.com
  • 127.0.0.1 alert.rising.com.cn
  • 127.0.0.1 www.dswlab.com
  • 127.0.0.1 dswlab.com
  • 127.0.0.1 bbs.dswlab.com
  • 127.0.0.1 zhidao.ikaka.com
  • 127.0.0.1 bbs.kafan.cn
  • 127.0.0.1 bbs.kaspersky.com.cn
  • 127.0.0.1 www.trendmicro.com.cn
  • 127.0.0.1 bbs.trendmicro.com.cn
  • 127.0.0.1 cn.trendmicro.com
  • 127.0.0.1 www.kpfans.com
  • 127.0.0.1 kpfans.com
  • 127.0.0.1 www.mcafee.com
  • 127.0.0.1 dnl-cn1.kaspersky-labs.com
  • 127.0.0.1 dnl-cn2.kaspersky-labs.com
  • 127.0.0.1 dnl-cn3.kaspersky-labs.com
  • 127.0.0.1 dnl-cn4.kaspersky-labs.com
  • 127.0.0.1 dnl-cn5.kaspersky-labs.com
  • 127.0.0.1 dnl-cn6.kaspersky-labs.com
  • 127.0.0.1 dnl-cn7.kaspersky-labs.com
  • 127.0.0.1 dnl-cn8.kaspersky-labs.com
  • 127.0.0.1 dnl-cn9.kaspersky-labs.com
  • 127.0.0.1 dnl-cn10.kaspersky-labs.com
  • 127.0.0.1 dnl-cn11.kaspersky-labs.com
  • 127.0.0.1 dnl-cn12.kaspersky-labs.com
  • 127.0.0.1 dnl-cn13.kaspersky-labs.com
  • 127.0.0.1 dnl-cn14.kaspersky-labs.com
  • 127.0.0.1 dnl-cn15.kaspersky-labs.com
  • 127.0.0.1 dnl-cd1.kaspersky-labs.com
  • 127.0.0.1 dnl-cd2.kaspersky-labs.com
  • 127.0.0.1 dnl-cd3.kaspersky-labs.com
  • 127.0.0.1 dnl-cd4.kaspersky-labs.com
  • 127.0.0.1 dnl-cd5.kaspersky-labs.com
  • 127.0.0.1 dnl-cd6.kaspersky-labs.com
  • 127.0.0.1 dnl-cd7.kaspersky-labs.com
  • 127.0.0.1 dnl-cd8.kaspersky-labs.com
  • 127.0.0.1 dnl-cd9.kaspersky-labs.com
  • 127.0.0.1 dnl-cd10.kaspersky-labs.com
  • 127.0.0.1 dnl-cd11.kaspersky-labs.com
  • 127.0.0.1 dnl-cd12.kaspersky-labs.com
  • 127.0.0.1 dnl-cd13.kaspersky-labs.com
  • 127.0.0.1 dnl-cd14.kaspersky-labs.com
  • 127.0.0.1 dnl-eu1.kaspersky-labs.com
  • 127.0.0.1 dnl-eu2.kaspersky-labs.com
  • 127.0.0.1 dnl-eu3.kaspersky-labs.com
  • 127.0.0.1 dnl-eu4.kaspersky-labs.com
  • 127.0.0.1 dnl-eu5.kaspersky-labs.com
  • 127.0.0.1 dnl-eu6.kaspersky-labs.com
  • 127.0.0.1 dnl-eu7.kaspersky-labs.co m
  • 127.0.0.1 dnl-eu8.kaspersky-labs.com
  • 127.0.0.1 dnl-eu9.kaspersky-labs.com
  • 127.0.0.1 dnl-eu10.kaspersky-labs.com
  • 127.0.0.1 dnl-eu11.kaspersky-labs.com
  • 127.0.0.1 dnl-eu12.kaspersky-labs.com
  • 127.0.0.1 dnl-eu13.kaspersky-labs.com
  • 127.0.0.1 dnl-eu14.kaspersky-labs.com
  • 127.0.0.1 dnl-eu15.kaspersky-labs.com
  • 127.0.0.1 dnl-us1.kaspersky-labs.com
  • 127.0.0.1 dnl-us2.kaspersky-labs.com
  • 127.0.0.1 dnl-us3.kaspersky-labs.com
  • 127.0.0.1 dnl-us4.kaspersky-labs.com
  • 127.0.0.1 dnl-us5.kaspersky-labs.com
  • 127.0.0.1 dnl-us6.kaspersky-labs.com
  • 127.0.0.1 dnl-us7.kaspersky-labs.com
  • 127.0.0.1 dnl-us8.kaspersky-labs.com
  • 127.0.0.1 dnl-us9.kaspersky-labs.com
  • 127.0.0.1 dnl-us10.kaspersky-labs.com
  • 127.0.0.1 dnl-us11.kaspersky-labs.com
  • 127.0.0.1 dnl-us12.kaspersky-labs.com
  • 127.0.0.1 dnl-us13.kaspersky-labs.com
  • 127.0.0.1 dnl-us14.kaspersky-labs.com
  • 127.0.0.1 dnl-us15.kaspersky-labs.com
  • 127.0.0.1 dnl-ru1.kaspersky-labs.com
  • 127.0.0.1 dnl-ru2.kaspersky-labs.com
  • 127.0.0.1 dnl-ru3.kaspersky-labs.com
  • 127.0.0.1 dnl-ru4.kaspersky-labs.com
  • 127.0.0.1 dnl-ru5.kaspersky-labs.com
  • 127.0.0.1 dnl-ru6.kaspersky-labs.com
  • 127.0.0.1 dnl-ru7.kaspersky-labs.com
  • 127.0.0.1 dnl-ru8.kaspersky-labs.com
  • 127.0.0.1 dnl-ru9.kaspersky-labs.com
  • 127.0.0.1 dnl-ru10.kaspersky-labs.com
  • 127.0.0.1 dnl-ru11.kaspersky-labs.com
  • 127.0.0.1 dnl-ru12.kaspersky-labs.com
  • 127.0.0.1 dnl-ru13.kaspersky-labs.com
  • 127.0.0.1 dnl-ru14.kaspersky-labs.com
  • 127.0.0.1 dnl-ru15.kaspersky-labs.com
  • 127.0.0.1 dnl-jp1.kaspersky-labs.com
  • 127.0.0.1 dnl-jp2.kaspersky-labs.com
  • 127.0.0.1 dnl-jp3.kaspersky-labs.com
  • 127.0.0.1 dnl-jp4.kaspersky-labs.com
  • 127.0.0.1 dnl-jp5.kaspersky-labs.com
  • 127.0.0.1 dnl-jp6.kaspersky-labs.com
  • 127.0.0.1 dnl-jp7.kaspersky-labs.com
  • 127.0.0.1 dnl-jp8.kaspersky-labs.com
  • 127.0.0.1 dnl-jp9.kaspersky-labs.com
  • 127.0.0.1 dnl-jp10.kaspersky-labs.com
  • 127.0.0.1 dnl-jp11.kaspersky-labs.com
  • 127.0.0.1 dnl-jp12.kaspersky-labs.com
  • 127.0.0.1 dnl-jp13.kaspersky-labs.com
  • 127.0.0.1 dnl-jp14.kaspersky-labs.com
  • 127.0.0.1 dnl-jp15.kaspersky-labs.com
  • 127.0.0.1 dnl-kr1.kaspersky-labs.com
  • 127.0.0.1 dnl-kr2.kaspersky-labs.com
  • 127.0.0.1 dnl-kr3.kaspersky-labs.com
  • 127.0.0.1 dnl-kr4.kaspersky-labs.com
  • 127.0.0.1 dnl-kr5.kaspersky-labs.com
  • 127.0.0.1 dnl-kr6.kaspersky-labs.com
  • 127.0.0.1 dnl-kr7.kaspersky-labs.com
  • 127.0.0.1 dnl-kr8.kaspersky-labs.com
  • 127.0.0.1 dnl-kr9.kaspersky-labs.com
  • 127.0.0.1 dnl-kr10.kaspersky-labs.com
  • 127.0.0.1 dnl-kr11.kaspersky-labs.com
  • 127.0.0.1 dnl-kr12.kaspersky-labs.com
  • 127.0.0.1 dnl-kr13.kaspersky-labs.com
  • 127.0.0.1 dnl-kr14.kaspersky-labs.com
  • 127.0.0.1 dnl-kr15.kaspersky-labs.com

As said before, a worm like this was expected, it has been just a matter of time. Clearly, a PC infected with KernelBot can be totally controlled by remote attackers, who can install on the infected system every kind of maware and, moreover, they can use the PC for DDoS attacks.

If someone still hasn't updated Windows, it's essential to do it as soon as possible, to prevent this and future malware attacks exploiting MS08-067 vulnerability. It's advisable to block ushealthmart.com domain too.

Prevx 2.0 and Prevx CSI are able to detect and remove the infection.

1 comment so far

  1. Jake Posey on Mar 16 16:43, 2009

    2. I feel for the guy in the Yahoo news story that linked me here. I had my data stolen from Bank of New York Mellon and they totally dropped the ball. They did not notify me for close to a year after they discovered the data breach. Then, they offered me free credit monitoring. I explained to them that I need to know what happened to my credit during the year between when my data was stolen and when I was notified and they said to pull your free credit report - I did that 9 months ago, so I still had an 8 month exposure to my personal information.

    I called them and they said tough luck - if you don't like that, write us. I wrote them and they said tough luck, if you don't like that call us. They are insensitive idiots.

    I called my financial advisor and told him to dump anything dealing with BNY Mellon. My mother-in-law's advisor also switched firms and was moving to BNY Mellon. Because of my story, she is looking for another advisor now.

    Why don't you get it? We are your customers. You are supposed to protect us.

Leave a reply








Yearly Archives

Stay Updated

YouTube Channel

Find us on Facebook