Skip to main content

Security Tidbits : No, we're not at worm stage... (yet) and Just some comments on MS08-067

Correction: There is a worm component. (Yes, the trojan itself isn't a worm. But that overlooks the behavior of a dll (opens in new tab), a dll dropped by Gimmiv, which is a worm. Now, that doesn't mean we're at a SQL Slammer type worm stage. This Trojan has to get into a system. But, nevertheless, I stand corrected.)

There’s some misinformation going on out there (opens in new tab) that there is already a worm targeting MS08–067 (opens in new tab). We haven’t been able to verify this.

Looking at the particular trojan that blog mentioned, it seems to me to be a trojan related to the MS08–067 attacks that I took a quick look at this morning:

String12388

You can see it targeting antivirus vendors like Bitdefender, Jiangnmin, Kingsoft, Symantec, Microsoft, Rising and Trend.

And in this screen, you can see some pretty ugly stuff. This is not a nice trojan:

String12388a

At any rate, I don’t want to de-emphasize the absolutely vital need to patch systems ASAP.

And, we would make an educated guess that a worm will hit soon (maybe in the next day or so).

I was stuck in meetings today and didn’t get a chance to write much more than I did (opens in new tab)earlier.

Just some quick notes on MS08-067 (opens in new tab).

– We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.

– It is not a light thing. The urgency is quite real — unpatched, you’ve got the spectre of another SQL Slammer (opens in new tab), Code Red (opens in new tab) type of scenario if the malware writers create a worm. The other issue with this patch is that it affects a broad number of systems (XP, Windows 2000 and 2003 -- the Vista/2008 platform isn't at the same level of risk).

– It is an extraordinary event that pushes Microsoft to do an out-of-band update. This is a big deal for them — each update is tested on a vast number of machines. It underscores the potential seriousness of this vulnerability.

Patch like hell and let’s hope everything will be ok in the morning.

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.