New Malware Targets Windows RPC DCOM Critical Vulnerability

Last week, Microsoft released an out of cycle patch for a critical vulnerability in the Server service which allows for remote code execution. Security experts speculated at the time that new worms would make use of this vulnerability to spread and not long after, such a component was detected in a new Trojan named Gimmiv.A.

The Gimmiv.A malware is classified differently by anti-virus vendors. Vendors like Kaspersky, Sophos, Symantec, TrendMicro, and Microsoft classify it as a network-aware Trojan, while others such as BitDefender, GData and Ikarus consider it a worm. In addition of having both Trojan and worm capabilities, all virus analysts agree that this malware exploits the RPC DCOM vulnerability described in the MS08-067 advisory.

During playload, the malicious application drops three .DLL files and registers itself as a Windows service. It will then proceed to gather login credentials from protected locations as the Outlook Express password cache. The Trojan also checks if several antivirus products are installed on the system and uploads this information along with stolen credentials to a remote URL. The information is actually encrypted and appended to a file hosted at the external URL. The application also downloads a number of files from several URLs.

The worm behavior that attempts to exploit the MS08-067 vulnerability is employed by the basesvc.dll file that dropped by the Trojan during playload. “Gimmiv.A starts from probing other IPs from the same network by sending them a sequence of bytes 'abcde' or '12345'. The worm then attempts to exploit other machines by sending them a malformed RPC request and relying on a vulnerable Server service,” explains Sergei Shevchenko on the Threat Expert blog.

Alex Eckelberry, CEO of Sunbelt Software, initially rejected the claims writing on the Sunbelt blog that “there’s some misinformation going on out there that there is already a worm targeting MS08–067. We haven’t been able to verify this”. He later confirmed that indeed the malware exploits the vulnerability in the Server service. “Yes, the trojan itself isn't a worm. But that overlooks the behavior of a dll, a dll dropped by Gimmiv, which is a worm. [...] I stand corrected,” he added.

Deploying the patch is highly recommended as malware developers are likely to target this vulnerability in their future malicious applications, especially since a complex exploit for it was posted yesterday on exploit tracking website Milw0rm.