Article

New malware exploits Microsoft RPC flaw

Robert Westervelt, News Director

Microsoft said Wednesday that it is continuing to track new malware attempting to exploit the remote procedure call (RPC) flaw and gain access to critical files.

"None of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word "worm," they do underscore the importance of deploying this update."
Christopher Budd, Security Program Manager, Microsoft Security Response Center

Christopher Budd, security program manager in the Microsoft Security Response Center, said the malware in the wild represents a significant threat, but most customers have deployed the patch relatively quickly.

"And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word 'worm', they do underscore the importance of deploying this update if you haven't already," Budd said in the

    Requires Free Membership to View

MSRC blog.

The software giant warned in its MS08-067 emergency bulletin that the flaw could be used by an attacker to craft a wormable exploit. Hours after an out-of-cycle patch was released, researchers discovered a new Trojan exploiting the flaw in the wild.

Researchers have discovered at least seven variants of the Trojan in the wild. The Trojans focuses on loading malware onto a vulnerable system. The flaw is rated critical on Windows 2000, XP and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server 2008.

"The largest of these attacks are those associated with Clort family and we've seen well below fifty attacks worldwide," Budd said.

Clort family is a group of Trojan variants that execute another dropped Trojan to exploit the RPC flaw. After a successful attack, other malware and adware is downloaded on a victim's machine.

Symantec's Security Response research team warned users this week that it was tracking a new worm, W32.Wecorl, that was targeting vulnerable machines in China. A second worm, W32 Kernelbot.A, has the ability to make a victim's machine a zombie, connecting it to a botnet.

"It currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites," Symantec said on its Security Response blog.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: