A Few Quiet Days… and a New Exploit of MS08-067 Has Been Identified
Via The Microsoft Malware Protection Center Blog.
April 1st is behind us and nothing really happened with Conficker. But it is never boring in the antimalware world. We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware. We added information about mitigations against this malware at the end of this blog post.
Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
- The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
- Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
- Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2
It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st. However it was not downloaded by any Conficker variant and there’s no evidence that it’s related to Conficker.D’s April 1 domain algorithm activation.
The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here. But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other’s "products".
Our current definition files were already detecting this new variant with a generic signature: Worm:Win32/Neeris.gen!C. Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger. It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.
The new variant tries to connect to a command and control server over port 449. The server password it uses to log-in was used by other bots last February.