As expected, we are seeing another wave of attacks exploiting the vulnerability detailed in security bulletin MS08-067.
Early last week we blogged about MS08-067 exploits. At that time, the number of exploits in the wild was still low and they were mostly targeted attacks. However, during the weekend we started receiving customer reports for new malware that exploits this vulnerability. During the last two days that malware gained momentum and as a result we see an increased support call volume. The SHA1 hash of the malware is 0x5815B13044FC9248BF7C2DBA771F0E6496D9E536 and we detect it as Worm:Win32/Conficker.A.
This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll.
It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too… More details are available in our encyclopedia write up.
Most of the reports come from users in the United States, but we also received reports from other countries/regions such as Germany, Spain, France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Canada, Argentina and Chile. On the other hand, Worm:Win32/Conficker.A avoids infecting Ukrainian computers and indeed we received no reports from there.
We have also found several bots that exploit MS08-067. We detect them as Backdoor:Win32/IRCbot.BH.
We continue to urge all our customers to install MS08-067. If you have installed this update, you’re already protected from this malware. We’ll continue to monitor the situation and will post updates as necessary.