Update: New Trojan Exploits Microsoft Bug

By Jenny Huntington
15:25, October 26th 2008

Tuesday, Microsoft Corporation released an emergency security update more than two weeks ahead of the company’s regular time of the month when update patches are issued, notifying of a vulnerability that could allow worms and trojans to run malicious codes on affected by the security hole machines.

The first patch released outside Microsoft’s mainstay update cycle in eighteen months revealed the bug was apt to render attackers to remotely take full control of an infected system.

In addition, the company informed that the vulnerability had arisen from the incapacity of the Windows service server to adequately verify the remote procedure call (RPC) requests for malicious content. RPC is a communication technology that enables a computer program to cause a procedure to execute in another address space (another computer or a shared network), without it being necessary for the programmer to explicitly code the details for this remote interaction. Windows’ server service, in terms of RPC, concerns the sharing of printers, disk and other various resources over a network of systems.

Initially, Microsoft described the bug as being prone to limited attacks, but after attackers managed to exploit the weak link and send a special network pack to systems running the 2000, XP and Server 2003 versions of Windows, the vulnerability was labeled critical to the aforementioned versions.

Nevertheless, it seems that, according to the company, systems that run on Windows Vista and Windows 2008 could only be exploited by authenticated users who have access to the network they target to attack.

The measure counted as the sixth time Microsoft has issued an out-of-band security update since October 2004, when they established to release patches on the second Tuesday of each month. The last time the company gave out an emergency security patch was in April 2007, the update having been aimed at fixing a critical bug in how Windows handled animated cursor files (.ani files).

Only two days after Microsoft released the patch, security researchers identified a new trojan named Gimmiv, which exploited the vulnerability in the RPC service.

Moreover, on Friday, a sample of the code hackers could use to further take advantage of the bug was posted on the Internet, on the Milw0rm.com hacker site.

Ben Greenbaum, a senior research manager with Symantec, has revealed that the Gimmiv trojan could be used to spread malicious content between systems joined in a local network, since the latter are not generally protected by firewalls. By exploiting Windows’ weakness, Gimmiv could easily go on infecting local networks’ computers one after another.

Afterwards, the trojan could load software aimed at stealing passwords on the machine, the experts have also warned.

Symantec has revealed that beginning Thursday evening the number of scans searching for systems that might have been vulnerable to the Gimmiv trojan had gone up by 25 percent, which means that further attacks performed by hackers who have modeled the code posted on the Web into easy-to-use exploit tools were expected.