New malware exploits Microsoft RPC flaw

Article

New malware exploits Microsoft RPC flaw

Robert Westervelt, News Editor

Microsoft said Wednesday that it is continuing to track new malware attempting to exploit the remote procedure call (RPC) flaw and gain access to critical files.

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

None of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word "worm," they do underscore the importance of deploying this update.
Christopher Budd,
security program managerMicrosoft Security Response Center

Christopher Budd, security program manager in the Microsoft Security Response Center, said the malware in the wild represents a significant threat, but most customers have deployed the patch relatively quickly.

"And while so far, none of these attacks are the broad, fast-moving, self-replicating attacks people usually think of when they hear the word 'worm', they do underscore the importance of deploying this update if you haven't already," Budd said in the MSRC blog.

The software giant warned in its MS08-067 emergency bulletin that the flaw could be used by an attacker to craft a wormable exploit. Hours after an out-of-cycle patch was released, researchers discovered a new Trojan exploiting the flaw in the wild.

Researchers have discovered at least seven variants of the Trojan in the wild. The Trojans focuses on loading malware onto a vulnerable system. The flaw is rated critical on Windows 2000, XP and Windows Server 2003 and is given an important rating on Windows Vista and Windows Server 2008.

"The largest of these attacks are those associated with Clort family and we've seen well below fifty attacks worldwide," Budd said.

Clort family is a group of Trojan variants that execute another dropped Trojan to exploit the RPC flaw. After a successful attack, other malware and adware is downloaded on a victim's machine.

SearchSecurity radio:

Symantec's Security Response research team warned users this week that it was tracking a new worm, W32.Wecorl, that was targeting vulnerable machines in China. A second worm, W32 Kernelbot.A, has the ability to make a victim's machine a zombie, connecting it to a botnet.

"It currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites," Symantec said on its Security Response blog.