Home > Daily Thoughts, Emerging Threats, Exploits > More Threats Exploiting MS08-067

More Threats Exploiting MS08-067

Few days ago, I have too many question, I was wondering if MS08-067 was just for show or should I say, isolated attack or maybe real blackhat Vxers working on a bigger one. Today, I have answers and unfortunately this wormable vulnerability it seems going in-the-wild.

As seen today, a file “67.exe” contains malcode exploiting MS08-067, which is a vulnerability in RPC request function “NetPathCanonicalize()” found in netapi32.dll.

67exe_01

67exe_02

The code snippet shows that it is capable connect and bind to a remote pipe thereafter sends its payload which is another file named “6767.exe” – a Chinese malware named “KernelBot” known as DDoS bot.

67exe_03

6767

From “6767.exe” code, it obvious that its targeting several security sites by modifying the local host.localhost

This bot then downloads its C&C (command and control) configuration file “cmd.txt” from a remote server which then defines its DDoS attack.

[DDOS_ScriptFlood]
IsScriptFlood=0
CmdID=46
ScriptFloodUrl=http://zhang_231.blog.163.com
ScriptFloodDNS=blog.163.com
ScriptFloodPort=80
IsGetUrlFile=1
ThreadLoopTime=10000
ThreadCount=1
IsTimer=1
Timer=15

[DDOS_UdpFlood]
IsUdpFlood=0
CmdID=9
UdpFloodDNS=222.130.21.3
ThreadCount=6
IsTimer=1
Timer=4

[DDOS_SynFlood]
IsSynFlood=0
CmdID=1
SynFloodDNS=www.bc248.com
SynFloodPort=80
ThreadCount=1
IsTimer=1
Timer=10

[DDOS_TcpFlood]
IsTcpFlood=0
CmdID=26
TcpFloodDNS=
TcpFloodPort=80
IsSendPacket=0
ThreadCount=1
IsTimer=1
Timer=6

The configuration file “cmd.txt” also includes URL  where it can download further files: “webcc.exe”, “Loader.exe”, and “67.exe”.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: