Global
| SecureWorks - On the Radar Newsletter - November 2008 | |
|---|---|
 |
|
MS08-067 and the Gimmiv Worm
On October 23, Microsoft released a critical security update (MS08-067) to patch a vulnerability in Windows systems that could be remotely exploited by an attacker. Shortly thereafter, SecureWorks' Counter Threat UnitSM received credible data indicating exploitation of this vulnerability "in the wild" – making the potential threat significantly more severe.
MS08-067 addresses a vulnerability found in the Server service on Windows systems. The vulnerability exists in the way the Server service handles crafted remote procedure call (RPC) requests. By default, authentication is not required to exploit this vulnerability on Windows 2000, Windows XP and Windows Server 2003 making remote exploitation easier for an attacker targeting these systems. Windows Vista and Windows Server 2008 systems require authentication by default, which makes these systems less vulnerable to remote exploitation.
The potential severity of this vulnerability led Microsoft to issue its first "out-of-cycle" security update since April 2007 (MS07-017). To ensure our clients are protected, SecureWorks released countermeasures to prevent and detect attempts to exploit the MS07-017 vulnerability on October 23rd – the same day of the Microsoft update.
Not long after MS08-067 was released, the SecureWorks' Counter Threat Unit (CTUSM) learned of a zero-day worm exploiting the new vulnerability. Called "Gimmiv", the new worm's potential for having a global impact a la highly prolific worms earlier in the decade warranted immediate investigation. Fortunately, in-depth analysis of the Gimmiv worm by the CTU revealed that very few networks had been infected due to default restrictions on Windows XP SP2 and later versions which limit connections to RPC ports to the local subnet. This means that Gimmiv can only infect vulnerable hosts on the same network, making mass propagation very unlikely for Gimmiv as well as future malware seeking to exploit the same vulnerability.
While widespread worm infection is highly unlikely, the exploit used in Gimmiv will live on in Trojans and other forms of malware. Motivated by financial gain, today's cybercriminals prefer targeted and discreet attacks to compromise systems and data. The Gimmiv exploit adds another tool to the toolbox that sophisticated attackers can use to slip past your defenses.
To protect against this vulnerability, SecureWorks recommends:
- Applying the MS08-067 security update from Microsoft as soon as possible. Utilize the workaround detailed in the MS08-067 bulletin to help protect against exploits of the vulnerability before you have applied the security update.
- Blocking MS08-067 exploit attempts with Network Intrusion Prevention Systems (NIPS) that have active countermeasures for this vulnerability.
- Monitoring Windows host logs using Security Information Management (SIM) with correlation rules to detect MS08-067 exploitation.
- Following firewall best practices, using default-deny firewall configurations and blocking external access to non-essential ports to block outside exploit attempts.
As mentioned in the above article, SecureWorks has released countermeasures to protect our clients from this threat.
Additional Information:
Microsoft Security Bulletin MS08-067 http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx
CVE-2008-4250 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
Tracking Gimmiv (SecureWorks Research Blog) http://www.secureworks.com/research/blog/index.php/2008/11/03/tracking-gimmiv/
The Rogue Plague
SC Magazine Podcast
Malicious programs posing as antivirus software, a.k.a "rogue antivirus", are infecting PCs and fooling computer users into paying millions of dollars for a phony product. In this exclusive Podcast with SC Magazine, SecureWorks' Counter Threat Unit Researcher Joe Stewart discusses how the rogue antivirus is being distributed and how cybercriminals are using it for their own profits.
Listen to the SC Magazine Podcast
Featured Gartner Research
IT Security Threat Projection Timeline
According to Gartner, "Cyberthreats continue to evolve, and businesses must evolve their defenses as well." In this research note, Gartner projects emerging threats and provides key findings and recommendations for businesses to mitigate these threats.
View the complimentary Gartner report
SecureFacts:
"Gartner estimates that 75% of enterprises can improve security and lower costs by outsourcing repetitive security functions to a high-quality MSSP."
Gartner, Cost Cutting While Improving Security
