On Monday, several antivirus vendors reported a new round of exploitation of Microsoft's out-of-cycle security bulletin last month.
The flaw in MS08-067, which affects how remote procedure calls (RPC) are handled in the Windows Server Service, has the potential to become a fast-spreading worm, according to Microsoft. But experts predicted any exploitation will be bundled within an existing Trojan horse or botnet package because that's where criminals can make the most money from the malware code.
Ken Dunham of iSight Partners said his company was looking at three samples of interest.
One is what F-Secure is calling 'Rootkit.Win32.KernelBot.dg'; another is what Symantec calls 'W32.Wecorl'. A third appears to be a weak variant of the Wecorl.
Dunham said these samples of malware appear to be autorooters, malicious programs that are designed to automatically scan and attack targeted computers. He stressed that what was seen on Monday are not worms, but autorooters, which are still a manual process but nonetheless a major step towards automating the code.
The way the attack works is that the criminal points his computer at a target PC. The autorooter goes out to the internet and pulls down exploit code for vulnerabilities including MS08-067. Once the target computer is compromised, the criminal then installs "code of choice".
Dunham said that, so far, he's seen a backdoor version of the eMule client application installed along with a few other files. This gives the criminal anonymous access to and control of the compromised machine and makes it part of a larger botnet. So far the botnet has been used to create denial-of-service attacks on sites mostly in China, including Google.cn.
