April 1st is behind us and nothing really happened with Conficker. But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post.
Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
- The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
- Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
- Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2
It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st. However it was not downloaded by any Conficker variant and there’s no evidence that it’s related to Conficker.D’s April 1 domain algorithm activation.
The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here. But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other’s "products".
Our current definition files were already detecting this new variant with a generic signature: Worm:Win32/Neeris.gen!C. Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger. It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.
The new variant tries to connect to a command and control server over port 449. The server password it uses to log-in was used by other bots last February.
The file names that this malware uses are deceptive. Most commonly we saw it using the name “Netmon.exe” but it sometimes masquerades itself as a SCR file with names that follow the pattern <two digits.scr>. It also drops a copy of itself using the file name smartkey.exe. Even its image time stamp is bogus: 6/19/1992 10:22:17 PM.
The malware adds itself to start every time Windows starts and even adds itself to the Safe Boot configuration.
Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here: make sure to install MS08-067 if you haven’t done so yet and be careful to use only AutoPlay options you’re familiar with or consider disabling the Autorun altogether. Other mitigations and information are available in our write up at Worm:Win32/Neeris.gen!C.
The MD5 hash of the malware is 2a9b16223e5f015d782806928fd017cf and the SHA1 is 5f92d219feae841cc0f9a9a3065de791e0078fde.
Ziv Mador & Aaron Putnam