Exploit-MS08-067 Bundled in Commercial Malware Kit
Friday November 14, 2008 at 8:27 am CST
Posted by Haowei Ren, Geok Meng Ong
Probably the most widely reported topic in the Chinese Security community this month will be the availability of a commercial MS08-067 attack pack, customized for Chinese users. On October 26th, 2008, exploit code was posted on to a well-known public repository site. In a few days, malware kit author, WolfTeeth, was quick to sell a MS08-067 port scanning tool with attack capability to his “customers”, using free code from the Internet.
Taking a peek into his “malware shop”, one finds a series of malware kits for sale - including a BackDoor kit (a.k.a. Beetle Remote Control Kit). It offers features similar to BackDoor-AWQ, another commercial kit that was also notoriously sold on a Chinese website. Both kits offers a free version, and a commercial version with enhanced features including:
- Kernel rootkit.
- Anti-virus software termination.
- Weekly anti-virus detection monitoring and evasion service.
- Web DDOS attack option (using a method to target webservers using expensive HTTP requests such as an active web application site).
The seller invites interested “customers” to contact him for a quote, but on another page, he has publicly priced a AdClicker trojan kit at CNY258 (~USD$37.80). This kit allows his “customers” to make money from pay-per-click sites using infected machines. Similarly, this kit claims “advanced” features to terminate popular anti-virus software in China, downloads updates and stealth capability.
Oh, wait, he also posted a disclaimer to remind all “customers” that his tools must never be used for “legal purposes” and is sold for “research use” only. For customer service, he has also warned his “customers” about “trojanized” versions of his kit distributed by others on the Internet, that will install a backdoor to spy on the backdoor user.
This malware shop is hosted on a domain registered very recently, on October 16th, 2008 to someone by the name of Wang Zeyu, possibly from Nanjing, China. Since the release of the tool, it has gained some attention from the mainstream Chinese media.
McAfee Avert Labs detects the toolkit as Exploit-MS08-067 (Generic.dx in older DATs), and the dropped exploit and port scanning tool as Exploit-MS08-067 trojan and Tool-TCP Scan application.
November 16th, 2008 at 1:06 pm
Did you guys look into the commercial version of the app? From what I see above, it looks like they probably just re-packaged code existing elsewhere (Milw0rm/Metasploit/CANVAS). Are they using the exact same code? Do they alter any of the encoding to bypass signatures?
Likewise with the toolkit version, what software are they dropping on the target box? Do the tools match known signatures?
November 17th, 2008 at 10:33 am
[…] are being actively exploited. MS08-067 Exploit - Featured in Chinese commercial malware kit http://www.avertlabs.com/research/blog/index.php/2008/11/14/exploit-ms08-067-bundled-in-commercial-m... QUOTE: Probably the most widely reported topic in the Chinese Security community this month will be […]
November 18th, 2008 at 1:18 am
[…] tool with attack capability to his ‘customers,’ using free code from the Internet, revealed Haowei Ren and Geok Meng Ong, from the McAfee Avert […]
November 18th, 2008 at 6:37 am
[…] attack capability to his ‘customers,’ using free code from the Internet,” revealed Haowei Ren and Geok Meng Ong, from the McAfee Avert […]
November 26th, 2008 at 9:25 am
[…] Exploit-MS08-067 Bundled in Commercial Malware Kit […]
December 7th, 2008 at 1:50 pm
[…] Exploit-MS08-067 Bundled in Commercial Malware Kit […]
December 12th, 2008 at 9:56 am
[…] MS08-067 Exploit - Featured in Chinese commercial malware kit http://www.avertlabs.com/research/blog/index.php/2008/11/14/exploit-ms08-067-bundled-in-commercial-m... […]