Fortinet's FortiGuard Global Security Research Team provided an original advisory on October 23, 2008, in parallel with Microsoft Security Bulletin MS08-067. Since that date, the team has closely monitored this vulnerability. Active exploitation was seen in the month of November 2008, while a heightened level of activity was observed in mid-December 2008. The following statistics shown in Figure 1 were compiled from Fortinet's FortiGate network security appliances and intelligence systems for the period October 26, 2008 - January 8, 2009.
Figure 1: MS08-067 exploit activity from October 2008 to January 2009, detected as MS.DCERPC.NETAPI32.Buffer.Overflow
Since December 2008, this heightened level of activity has held steady and continued forth into January 2009. A worm in the wild exploiting this vulnerability is detected by Fortinet as W32/Conficker.A. Recently, a new variant has been observed in the wild, detected as W32/Conficker.B.
The FortiGuard Global Security Research Team describes Conficker as a worm that spreads through the MS08-067 vulnerability, probing potential victim machines through port 445 (SMB). The worm will contact several remote servers to obtain geographical IP information. Regional information is checked; if the machine belongs to the Ukraine, the infection routine will be avoided. This is a geolocalization technique in the form of protection, giving a likely indicator of where the author(s) reside. Once a machine has been located, the exploit will run and (if successful) a copy of the worm (payload) will be transferred to the new infected host via HTTP. Preset dates are incorporated into the malicious code; once these dates are hit, the worm will exhibit certain behavior. Such behavior for W32/Conficker.A includes generating random domain names to query. These domain names are dynamically generated using an algorithm that produces 250 domain names made up of alpha characters. As of this writing, these domain names are not yet registered. The purpose of this is yet to be seen.
Additionally, the worm has UPnP detection capabilities which is suspected to locate and communicate with gateway devices. Several attack tools tailored for this vulnerability have been observed in the wild, making the possibility of breach widely available.
Solutions:
References:
Acknowledgement:
Kyle Yang of Fortinet's FortiGuard Global Security Research Team for Conficker details
Figure 1: MS08-067 exploit activity from October 2008 to January 2009, detected as MS.DCERPC.NETAPI32.Buffer.Overflow
Since December 2008, this heightened level of activity has held steady and continued forth into January 2009. A worm in the wild exploiting this vulnerability is detected by Fortinet as W32/Conficker.A. Recently, a new variant has been observed in the wild, detected as W32/Conficker.B.
The FortiGuard Global Security Research Team describes Conficker as a worm that spreads through the MS08-067 vulnerability, probing potential victim machines through port 445 (SMB). The worm will contact several remote servers to obtain geographical IP information. Regional information is checked; if the machine belongs to the Ukraine, the infection routine will be avoided. This is a geolocalization technique in the form of protection, giving a likely indicator of where the author(s) reside. Once a machine has been located, the exploit will run and (if successful) a copy of the worm (payload) will be transferred to the new infected host via HTTP. Preset dates are incorporated into the malicious code; once these dates are hit, the worm will exhibit certain behavior. Such behavior for W32/Conficker.A includes generating random domain names to query. These domain names are dynamically generated using an algorithm that produces 250 domain names made up of alpha characters. As of this writing, these domain names are not yet registered. The purpose of this is yet to be seen.
Additionally, the worm has UPnP detection capabilities which is suspected to locate and communicate with gateway devices. Several attack tools tailored for this vulnerability have been observed in the wild, making the possibility of breach widely available.
Solutions:
- The FortiGuard Global Security Research Team released the IPS signature "MS.DCERPC.NETAPI32.Buffer.Overflow" to protect against this vulnerability
- Fortinet provides antivirus detection for malicious payload, including (but not limited to) W32/Conficker.A!worm and W32/Conficker.B!worm
- Microsoft has released an update to patch this vulnerability with Security Bulletin MS08-067, it is highly recommended to follow this procedure
References:
- CVE ID: CVE-2008-4250
- Bugtraq: http://www.securityfocus.com/bid/31874
Acknowledgement:
Kyle Yang of Fortinet's FortiGuard Global Security Research Team for Conficker details
