MS08-067 fun started
Yup, took this long for someone to start properly abusing the MS08-067 vulnerability. There’s a worm now on the loose that uses the exploit. The worm component comes coupled with a kernel mode DDOS bot that’s been doing the rounds for a while now.
Took a cursory glance at the bot, it’s a pretty basic exploit shellcode that downloads a dropper binary from a website. The worm starts scanning for vulnerable machines with 100 threads which is pretty normal behaviour.
Did notice one bug though. When the worm starts it tries to obtain a mutex like this:
push ebx
push ebp
push edi
push offset Name ; “Global\\676767″
push 1 ; bInitialOwner
push 0 ; lpMutexAttributes
call ds:CreateMutexA
Now, in a working piece of code the malware would obtain a mutex lock called “Global\\676767″.
Now, whoever made this brilliant piece of malware apparently forgot that he had defined the Name variable to be Unicode.
Now, since he’s pushing a unicode value into an ascii API call the malware end up having a mutex lock called “G” :)