From Gimmiv to Conficker: The lucrative MS08-067 flaw

GENEVA -- The critical MS08-067 vulnerability used by the Conficker worm to build a powerful botnet continues to be a lucrative security hole for cyber criminals.

During a presentation at the Virus Bulletin 2009 conference here, a trio of Microsoft researchers dissected the malware attacks linked to MS08-067 and found that criminal gangs are still exploiting the flaw to plant data-theft Trojans on vulnerable Windows machines.

[ SEE: Eyeballing Conficker with eye-charts and maps ]

Even before the appearance of Conficker in November 2008, the Microsoft research team said three different malware families -- Arpoc, Gimmiv and Clort -- were already using the code execution hole to "test the effectiveness" of exploit code.

The researchers -- Elda Dimakiling, Francis Allan Tan Seng and Scott Wu --said the three malware families used different techniques and tricks to launch exploits copied from public Web sites like Milw0rm.com but it wasn't until the appearance of Conficker that the attacks took on a professional -- and sinister -- turn.

The first variant, Conficker.A, appeared on November 25 and generated 250 URLs that it checked for updates daily.

• Googling for Conficker clean-up information? Be careful
• Researchers make Conficker breakthrough
• CBS 60 Minutes covers Conficker, malware epidemic

By December 2008, a second variant appeared with new propagation techniques -- spreading via removable and mapped drives, and network shares with weak passwords.  This updated worm also started blocking access to anti-virus and security-related sites.

Over time, a total of five Conficker variants would be launched, each more potent than the others, confirming fears by researchers that the industry was up against a very skilled, professional malware gang.

The Microsoft research team declined to provide hard statistics on the number of infections today but according to a spokesman for the Conficker Working Group, there are about five million Windows machines in the botnet.

Aside from Conficker, there are at least three different malware malware families using the MS08-067 exploit to spread, including a worm called Neeris that spreads via IM programs like Live Messenger and AOL Instant Messenger.

Another malware family, called Synigh, also spreads via instant messenger programs and contains IRC backdoor functionalities.

Several additional backdoor Trojan families such as Mocbot and IRCbot have added MS08-067 exploitation into their functionalities, proving conclusively that more than a year after Microsoft patched the flaw, there are still enough vulnerable machines to present a business model for malware purveyors.

"One of the main applications of the MS08-067 exploit is its use as a stepping stone for malware to do further damage by installing other threats," the research team said.  These threats include information-stealing Trojans, backdoors, spyware, adware and scareware (fake security software).

"Malware authors can make a large profit from this.  For example, attackers can sell important data stolen by the payload.  Remember that there are a high number of these attacks.  A small amount of money earned from each infected machine is amplified by the magnitude of its infection," the researchers explained.

"Huge amounts of money are involved."

More than a year later, MS08-067 is still very lucrative.