MS06-040 Worm Out

[HTRegz]

Hey Hey,

For those of you that haven't patched yet... a worm (a variant of MocBot or a 'new' virus according to MS named Graweg) is circulating for MS06-040... it's fairly standard.. exploit, install a service.. service connects to IRC to wait out commands..

LurHQ has a great analysis of the virus

Mocbot first appeared in late 2005, using the MS05-039 PNP vulnerability in order to spread. Since it is fairly unremarkable IRC bot and was not even the first to use the MS05-039 exploit, it received little attention past the ordinary anti-virus writeups and signatures.

Amazingly, this new variant of Mocbot, still uses the same IRC server hostnames as a command-and-control mechanism after all these months. This may be partially due to the low-profile it has held, but also may be due to the fact that the hostnames and ip addresses associated with the command-and-control servers are almost all located in China. Historically Chinese ISPs and government entities have been less-than-cooperative in taking action against malware hosted and controlled from within their networks.

Little appears to have changed between previous Mocbot variants and the new one, except the replacement of the MS05-039 exploit with that of MS06-040. Primarily Mocbot resembles many other IRC bots, providing the controller with a backdoor on the infected host, along with the ability to launch a DDoS attack against other hosts, as well as being able to use the built-in exploit to spread to additional systems.

This variant of mocbot copies itself to the system directory as wgareg.exe, and creates an NT service to run at startup called "Windows Genuine Advantage Registration Service". The description given to the service reads "Ensures that your copy of Microsoft Windows is genuine and registered. Stopping or disabling this service will result in system instability.", in an attempt to discourage users from stopping it from running.

Mocbot can also use AOL Instant Messenger to send instant messages using the victim's account. This could be a potential vector to allow the controller to trick users into downloading and executing the bot from an external URL, allowing it to penetrate firewalls like any other file downloaded over HTTP. Once inside a network, it could then spread using the MS06-040 exploit to vulnerable internal systems over TCP port 445. This underscores the danger of allowing unrestricted external instant messaging in a corporate environment, as it often introduces malware directly to users, bypassing perimeter controls.

At the time of this writing, anti-virus detection is not especially broad, with only 1/3 of all anti-virus engines tested reporting the file as malware or flagging it as suspicious. None of them recognize it as a Mocbot variant.

They also have snort signatures available on their site which they've submitted to bleeding snort.

The MSRC blog is reporting this:

Hey everyone, it’s Adrian. Wanted to drop in and let you know where we are in our investigation of Win32/Graweg. As I’m sure you’ve seen by now on our AV partner sites, this is rated as a low threat and doesn’t at this time replicate automatically from machine to machine. So it’s impact in terms of infection base appears to be extremely small. We’ve updated the security advisory related to MS06-040. What we know right now is that the attack affects specifically Windows 2000 computers who have not applied the MS06-040 update. Thus far we have not seen this attack impacting any other versions. We urge everyone to apply the update however, and should the situation change we will post more information and guidance as it becomes available.

Keep the bolded portion in mind as you read this next writeup (the original from ISC):

Over the weekend there was a botnet doing fairly wide scale scanning for hosts affected by the vulnerabilities in the MS06-040 advisory. While technically a botnet, it was spreading in a worm like fashion.

Microsoft has updated Advisory 922437 due to this activity.

My current goal is to obtain a copy of this worm for further analysis and to play with (I have a few cool ideas to log data) so if anyone has it come across could you please quarentine a copy and send it my way... PM it here in a zip or email it to me -- ht[at]computerdefense.org

Peace,
HT

[MURACU]

just a little head ups I heard that the patch MS06-40 may have an impact on HTTPs services and ceritficates so test the patch well before you deploy it (as usuall). I have moved jobs so I no longer have a W2K3 domain to play with so if any one has more concrete information on weather it does cause problems or not it would interest me.
cheers
muracu.

[er0k]

also, the patch changes ie settings to high automatically, or at least from what i've heard. firefox/opera/netscape/mozilla users are good though.

[mohaughn]

Er0k- You are obviously confused, or repeating bad information. This patch only contains an update for the server service. It does nothing to IE. Specifically it does a check on the length of messages being submitted to the server service via RPC. It has nothing to do with IE.