Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS08-067: Trojan Gimmiv.A is not a true worm YET


  • Please log in to reply
1 reply to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:04:49 PM

Posted 30 October 2008 - 10:10 AM

All home and corporate users should ensure they are up-to-date on Windows security patches. A Windows Update should be performed if it's not an automatic process on your system. This emergency release became available on October 23, 2008.

So far, Troj/Gimmiv.A requires social engineering and some human intervention for the malware agents to load on unpatched Windows workstation and server operating systems. Usually, this requires visiting a malicious website or a mouse click to install the malicious software.

A true worm will infect vulnerable systems that are simply connected to the Internet or a Local Area Network automatically, without any human intervention. Examples of past true worms include: Code Red, Blaster, SQL-Slammer, Sasser, etc. It should also be noted that some of these early variants were buggy and less effective than more steamlined later versions.

It is hopeful that exploits related to MS08-067 will not become wormable. Still users should not take a chance. By patching now, they will prevent infections if a wormable threat materializes later. Information on patching this security vulnerability can be found below:

Microsoft Security Bulletin - MS08-067 Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Gimmiv.A exploits critical vulnerability (MS08-067)
http://blog.threatexpert.com/2008/10/gimmiva-exploits-zero-day-vulnerability.html

QUOTE: What needs to be clarified here, is that the exploit MS08-067 used by Gimmiv.A allows remote code execution, which makes it potentially "wormable". Considering that the vector of attack is RPC DCOM and the code is similar to typical RPC DCOM network-aware worms, which is used against other hosts in the network, Gimmiv.A is determined in this post as a worm. However, it could technically be classified as a network-aware trojan that employs functionality of a typical RPC DCOM network-aware worm to attack other hosts in the network

First Glimpse into MS08-067 Exploits In The Wild
http://www.avertlabs.com/research/blog/index.php/2008/10/24/first-glimpse-into-ms08-067-exploits-in-the-wild/


Gimmiv - Additional Information Links
http://vil.nai.com/vil/content/v_152898.htm
http://community.ca.com/blogs/securityadvisor/archive/2008/10/27/ms08-067-wormable-vulnerability-patched.aspx
http://www.prevx.com/blog/101/MS--GimmivA-exploits-Windows-bug.html
http://security.blogs.techtarget.com/2008/10/24/worm-exploiting-ms08-067-rpc-vulnerability/
https://forums.symantec.com/syment/blog/article?blog.id=vulnerabilities_exploits&thread.id=174
http://www.networkworld.com/community/node/34429
http://www.precisesecurity.com/threats/trojangimmiva/
http://www.csoonline.com/article/456980/Gimmiv_Worm_Feeds_on_Latest_Microsoft_Bug
http://www.sophos.com/security/analyses/viruses-and-spyware/trojgimmiva.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=74604
http://www.threatexpert.com/reports.aspx?find=gimmiv
http://www.frsirt.com/english/virus/2008/06423

BC AdBot (Login to Remove)

 


#2 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:49 PM

Posted 31 October 2008 - 09:59 AM

Thanks for the heads up.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users