Skip to main content

Security Tidbits : No, we're not at worm stage... (yet) and Just some comments on MS08-067

Correction: There is a worm component. (Yes, the trojan itself isn't a worm. But that overlooks the behavior of a dll (opens in new tab), a dll dropped by Gimmiv, which is a worm. Now, that doesn't mean we're at a SQL Slammer type worm stage. This Trojan has to get into a system. But, nevertheless, I stand corrected.)

There’s some misinformation going on out there (opens in new tab) that there is already a worm targeting MS08–067 (opens in new tab). We haven’t been able to verify this.

Looking at the particular trojan that blog mentioned, it seems to me to be a trojan related to the MS08–067 attacks that I took a quick look at this morning:


You can see it targeting antivirus vendors like Bitdefender, Jiangnmin, Kingsoft, Symantec, Microsoft, Rising and Trend.

And in this screen, you can see some pretty ugly stuff. This is not a nice trojan:


At any rate, I don’t want to de-emphasize the absolutely vital need to patch systems ASAP.

And, we would make an educated guess that a worm will hit soon (maybe in the next day or so).

I was stuck in meetings today and didn’t get a chance to write much more than I did (opens in new tab)earlier.

Just some quick notes on MS08-067 (opens in new tab).

– We have samples in-house of the trojans in-the-wild that are being used in targeted attacks, taking advantage of this exploit. These are currently only targeted attacks, not being used broadly by malware authors.

– It is not a light thing. The urgency is quite real — unpatched, you’ve got the spectre of another SQL Slammer (opens in new tab), Code Red (opens in new tab) type of scenario if the malware writers create a worm. The other issue with this patch is that it affects a broad number of systems (XP, Windows 2000 and 2003 -- the Vista/2008 platform isn't at the same level of risk).

– It is an extraordinary event that pushes Microsoft to do an out-of-band update. This is a big deal for them — each update is tested on a vast number of machines. It underscores the potential seriousness of this vulnerability.

Patch like hell and let’s hope everything will be ok in the morning.

Alex is a technology CEO, with leadership, operating partner, investor, and board member roles at security firms including AutoLoop, Borland, Quarterdeck (now Symantec and Cisco WebEx), GFI/TeamViewer, Sunbelt Software (now ThreatTrack Security), BlueStripe Software, StopBadware, Knowbe4, Malwarebytes, and Runaware Holding AB. When CEO of Sunbelt he ran a security blog, and he still writes on security.