MS08-067 vulnerability, exploit, and reverse engineering in detail

Since Microsoft released the out of band patch detailed in MS08-067 yesterday, an exploit and worm have already been developed and seen in the wild.  Dave Aitel announced the exploit yesterday in his DailyDave mailing list. SecurityFocus has the exploit available for download hereAlexander has also published his decompiled version of the vulnerable function.  Stephenl has a nice description of how he reverse engineered the patches to determine the specific vulnerability.

The ThreatExpert Blog has a very nice description of how the worm, named Gimmiv.A operates. Gimmiv.A creates three files in the %system%\WBEM\ directory: winbase.dll, basesvc.dll, and syicon.dll.

ThreatExpert reports

“After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption. 

Details collected by Gimmiv.A are then posted to a personal profile of the user “perlbody”, hosted with hosting provider. At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims’ details, indirectly indicating how many victims have been compromised by this worm so far.

The most interesting part of this worm is implemented in the DLL basesvc.dll. This DLL is responsible for the network propagation of the worm.”

If you cannot immediately patch your systems, the best defense is to restrict access to ports 139 and 445.

For additional detail, see this Microsoft Security Vulnerability Research & Defense blog posting.

The Microsoft Malware Protection Center has a page dedicated to Gimmiv.A, which they are calling a trojan rather than a worm.

McAfee has a nice description of the exploit code as well.

You can verify your anti-virus vendor detects Gimmiv.A at