The MS08-067 Vul Goes Wormy
The biggest vulnerability to come out this year, the remote execution of the Windows server service, detailed here, has gone all wormy according to Jose Nazario at Arbor Networks.
Earlier today we were informed about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even names his project KernelBot. We first became aware of this bot during the CNN.Com attacks earlier this year; some researchers we were working with brought it to our attention. Since then we’ve been watching this guy’s activities and seen a handful of DDoS targets, but most of them are Baidu. It’s nice to see most of the AV vendors have finally caught up and added detection.
If you want to stop this one, you should block all web access to the domain ushealthmart.com. It’s using a few hosts under that domain name to spread and send out configurations.
SANS says that if you are infected, you can see hosts scanning on port 445. Its interesting that this is targeting Baidu, the Chinese search engine. This is likely politically motivated, perhaps in retaliation for any number of Chinese atrocities.