Trojan exploiting MS08-067 RPC vulnerability

There are reports emerging Friday morning of a new Trojan exploiting the MS08-067 RPC vulnerability in Windows that Microsoft patched with an emergency fix yesterday. Known as Gimmiv.A, the Trojan propagates automatically through networks, and also installs a number of small programs on compromised machines. But its most worrisome capability is a feature that enables Gimmiv.A to find cached passwords in a number of locations and then send them off to a remote server. Before sending the data, the Trojan encrypts the passwords with AES encryption.

From the ThreatExpert description of Gimmiv.A:

It starts from probing other IPs from the same network by sending them a sequence of bytes “abcde” or “12345?. The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. As known, Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188.

Next, Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path “/c/../../AAAAAAAAAAAAAAAAAAAAAAAAAAAAA” by calling the vulnerable RPC request NetPathCanonicalize.

Microsoft had some information about Gimmiv.A in its description of the new vulnerability yesterday, saying that the company had added signatures for the Trojan to the Microsoft Malware Protection Center and had shared the information with its AV partners as well.
The analysts at F-Secure have a good description of the Trojan’s behavior tool:

On execution, the malware drops a DLL component ( which is also detected as Trojan-Spy:W32/Gimmiv.A ) as

• [System Folder]/wbem/sysmgr.dll

and injects it to svchost.exe. The main executable file will then delete itself.

As part of its routine for connecting to a remote server, the trojan will take into account both the operating system version and the presence of any security applications in the system. The trojan checks for the following antivirus programs:

• BitDefender
• avp.exe
• Jiangmin
• KasperskyLab
• Kingsoft
• Symantec
• OneCare Protection
• Rising
• TrendMicro
• dwm.exe

The trojan then connects to:

• http://59.106.145.58/[…].php?abc=1?def=2

The two parameters ‘abc=’ and ‘def=’ are determined by the antivirus program and the operating system version, respectively. For example, if avp.exe is installed on an infected machine that runs Windows XP, then abc=1 and def=2.

The trojan then harvests the following information from the infected machine:

• MSN Credentials
• Outlook Express Credentials
• Protected Storage Information
• Username
• ComputerName
• Patches Installed
• Browser Information
• Username (web browsing)
• Password
• URL

Microsoft said in its advisory Thursday that the MS08-067 vulnerability could be a target for a worm, and other security experts warned of the possibility as well. Gimmiv.A does not seem to be a major threat right now, but these things have a way of gathering steam quickly once they get going.