Incident Response, Network Security, TDR, Vulnerability Management

Symantec warns of new Microsoft exploit


Attacks against Microsoft's patched Windows Server Service vulnerability continue to remain an issue as a new worm is spreading, according to Symantec.

Symantec identified a new worm, “W32.Downadup,” exploiting the MS08-067 vulnerability, successful against Windows 2000 unpatched targets. Once a machine is compromised it becomes a web server capable of serving the worm to the next generation of targets, Ben Greenbaum, senior research manager for Symantec Security Response, told Monday.

“Given that it only works against Windows 2000, it's actually spreading pretty quickly,” Greenbaum said. “We have seen roughly 25,000 infected machines so far.”

On Nov. 21, Symantec noticed an increase in attacks against the ports involved in the vulnerability, namely TCP port 445, Greenbaum said. The security firm saw “aggressive propagation” of the worm in its honeypot network and upgraded its ThreatCon level to two out of four, according to a Symantec blog post.

Arbor Networks posted a blog stating that while MS08-067 is a serious vulnerability, it has not seen similar activity on port 445.

“Each vendor has its own way to monitor what's going on in terms of security and threats in the wild,” Andrew Storms, director of security operations at nCircle, told Monday. “Its not unlikely that two different vendors would see two different types of traffic. It depends on where they are putting monitoring stations around the internet and how they are capturing that data.”

Microsoft researchers said last week that the company has seen more than 50 distinct exploits of the vulnerability, with more emerging almost every day, according to a Malware Protection Center blog post.

"In any case, in spite of the increasing number of files exploiting MS08-067, we're getting a very small number of customer reports for these attacks," researchers Dan Zurc and Ziv Mador wrote. "It is therefore possible that some of these files are used for targeted attacks."

Experts said that despite continued reports of active attacks, simply plugging the vulnerability can stop any threat.

“The obvious thing that needs to be called out is that this is a vulnerability for which patches are available,” Greenbaum said.

In October, Microsoft issued an out-of-cycle emergency patch for the vulnerability, which exists in Windows Server. Since then, a number of exploits against the vulnerability were identified, including a worm called “Exploit.Win32.MS08-067.g,” and a trojan called “Gimmiv.”

A Microsoft spokeswoman said Monday that Microsoft continues to recommend that customers immediately apply the available security update for affected products.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.