Few days ago, I have too many question, I was wondering if MS08-067 was just for show or should I say, isolated attack or maybe real blackhat Vxers working on a bigger one. Today, I have answers and unfortunately this wormable vulnerability it seems going in-the-wild.
As seen today, a file “67.exe” contains malcode exploiting MS08-067, which is a vulnerability in RPC request function “NetPathCanonicalize()” found in netapi32.dll.
The code snippet shows that it is capable connect and bind to a remote pipe thereafter sends its payload which is another file named “6767.exe” – a Chinese malware named “KernelBot” known as DDoS bot.
From “6767.exe” code, it obvious that its targeting several security sites by modifying the local host.
This bot then downloads its C&C (command and control) configuration file “cmd.txt” from a remote server which then defines its DDoS attack.
The configuration file “cmd.txt” also includes URL where it can download further files: “webcc.exe”, “Loader.exe”, and “67.exe”.