Windows Critical Update!!!!!

[IbPervert (imported)]

If you are on a Windows Platform then you have to run your Windows Update routine right away! A critical flaw has been exploited and the result is a worm that will steel your passwords and send them to an unknown third party. Below is more information...

IbPevert

http://blog.threatexpert.com/2008/10/gi ... ility.html (http://blog.threatexpert.com/2008/10/gi ... ility.html)

Thursday, October 23, 2008

Gimmiv.A exploits critical vulnerability (MS08-067)

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

Once executed, the worm will drop 3 files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.

It will then install and start up a new service called BaseSvc with the display name "Windows NT Baseline". The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.

The collected information seems to specify if the following AV products are found to be installed on the compromised system:

* BitDefender Antivirus

* Jiangmin Antivirus

* Kingsoft Internet Security

* Kaspersky Antivirus

* Microsoft's OneCare Protection

* Rising Antivirus

* Trend Micro

Details collected by Gimmiv.A are then posted to a personal profile of the user "perlbody", hosted with http://www.t35.com hosting provider. At this time, the collected details are displayed at this link.

At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims' details, indirectly indicating how many victims have been compromised by this worm so far.

The worm also fetches a few files from the following locations:

* http://summertime.1gokurimu.com

* http://perlbody.t35.com

* http://doradora.atzend.com

One of the downloaded files is a GIF image shown below:

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network functionality of Gimmiv.A.

What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network.

Gimmiv.A starts from probing other IPs from the same network by sending them a sequence of bytes "abcde" or "12345". The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service. As known, Server service uses a named pipe SRVSVC as its RPC interface, which is registered with UUID equal to 4b324fc8-1670-01d3-1278-5a47bf6ee188. In order to attack it, the worm firstly attempts to bind SRVSVC by constructing the following RPC request:

Next, Gimmiv.A submits a maliciously crafted RPC request that instructs SRVSVC to canonicalize a path "\c\..\..\AAAAAAAAAAAAAAAAAAAAAAAAAAAAA" by calling the vulnerable RPC request NetPathCanonicalize, as shown in the traffic dump below (thanks to Don Jackson from SecureWorks for the provided dump):

As this is a critical exploit, Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.

[Kortpeel (imported)]

Gimmiv.A exploits critical vulnerability (MS08-067)It will then install and start up a new service called BaseSvc with the display name "Windows NT Baseline". The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

Wow! I've read all this several times and am no wiser. My non-expert interpretation is that a new virus called Gimmiv.A will do something horrible to my computer because Microsoft left the door open for it. Now Microsoft have come up with a patch for it - which MS users had better apply pronto or else.

How does a person acquire the level of expertise which will allow him to understand all this jargon and make sense of it?

Kortpeel

[Riverwind (imported)]

Thank you, done and done

River

[The Lurker (imported)]

Just buy a Mac (not the wolf) and be done with it. There 10's of thousands of viruses for windows. Less than 600 for Mac. Macs are simpler to use and understand and are built for the home user in more ways than windows.

[Paolo]

If you've got your Windows machine set to receive automatic updates and install without bothering you, you should be fine. Run a file search for the terms, "Winbase" and such. If they don't come up, you're fine. If they do, you'd better get online and find out how to fix it, if your anti-virus won't, and start changing passwords.

As I understand it, this worm/virus steals your passwords and encrypts the data, then sends it off to a website where those who know the encryption code can decipher it and do what they will with it.

[Arab Nights (imported)]

I used the search function on Windows Explorer and it came up nil. Thanks for putting my mind at rest.

[fhunter]

If you are on a Windows Platform then you have to run your Windows Update routine right away! A critical flaw has been exploited and the result is a worm that will steel your passwords and send them to an unknown third party.

Two server adresses from the list this worm tries to contact already dead.

perlbody.t35.com - still alive.

Hmmm.

Thanks for warning. I switched to linux long ago, but use windows from time to time in virtual environment (and usually don't patch it).

PS. Viruses, viruses... janitors - that's the real power - one hit of the broom on server and no work for everybody for next few hours.

[incuse (imported)]

Just buy a Mac (not the wolf) and be done with it. There 10's of thousands of viruses for windows. Less than 600 for Mac. Macs are simpler to use and understand and are built for the home user in more ways than windows.

Macs are not exploited because they aren't as popular as windows. The same with Linux (I'm a linux user). The moment macs hit a saturation point then some folks will find the time to discover and use exploits on the Mac.

The one way to make sure this doesn't happen is to NOT invite people to use Macs. It's better for you that way.

You're request to bring new users to Macs is like Jehovah's Witnesses's bringing folks to their religion and then in the afterlife whining why the odds decreased that they weren't one of the chosen 144,000.

[Buzz1221 (imported)]

Macs are not exploited because they aren't as popular as windows. The same with Linux (I'm a linux user). The moment macs hit a saturation point then some folks will find the time to discover and use exploits on the Mac.

The one way to make sure this doesn't happen is to NOT invite people to use Macs. It's better for you that way.

You're request to bring new users to Macs is like Jehovah's Witnesses's bringing folks to their religion and then in the afterlife whining why the odds decreased that they weren't one of the chosen 144,000.

Funny -- and true. I've stopped inviting my friends to buy MACs for just this reason...

[fhunter]

Macs are not exploited because they aren't as popular as windows. The same with Linux (I'm a linux user). The moment macs hit a saturation point then some folks will find the time to discover and use exploits on the Mac.

The one way to make sure this doesn't happen is to NOT invite people to use Macs. It's better for you that way.

I can't be sure about Macs (haven't looked into system that deep), but linux systems (and other unix) have better security model, than windows (if configured correctly ).