Researcher: Small attack triggered Microsoft emergency patch

Trojan that prompted out-of-cycle Windows update infected 200 machines

The Trojan horse whose attacks convinced Microsoft to issue an emergency patch for Windows had infected only about 200 computers prior to the fix's October 23 release, a security researcher said Tuesday.

Joe Stewart, director of malware research at SecureWorks, tracked down "Gimmiv," the Trojan that started the rush to patch. By accessing three control servers used by Gimmiv's makers, downloading log files and then decrypting the encrypted data, Stewart was able to pinpoint its origin, the first evidence of its spread and the overall number of infected PCs.

Twelve days ago, Microsoft warned of a critical vulnerability in the Windows Server service, which is used by all versions of the operating system, including client editions, to connect to file and print servers on a network. Hackers were already exploiting the bug in what Microsoft called "limited, targeted attacks," the company said as it issued a patch outside its normal second-Tuesday-of-the-month schedule.

Gimmiv, which Microsoft tagged as "Win32/MS08067.gen!A" instead, was identified as the malware that prompted the emergency patch.

It first popped up August 20 and was probably written by a South Korean hacker, said Stewart. According to the log files, however, the Trojan was present at only two IP addresses in August, and then only briefly. "One of these IP addresses, located in Korea, we can tell was running Gimmiv in a VMware virtual machine, exactly the kind of thing you might expect someone testing a piece of malicious mobile code to do," said Stewart.

Not until September 29, however, did Gimmiv show up "in the wild" as log files noted an infected PC in Hanoi, Vietnam. All told, approximately 200 machines in 23 countries were successfully attacked by Gimmiv between September 29 and October 23, when Microsoft released its out-of-cycle fix. Many of the machines were on two networks in Malaysia, and few systems outside of Asia were compromised.

The log files recorded just one hacked machine in North America, for instance.

"But we had just as many questions after this as before," said Stewart, who ticked off a long list of unusual characteristics of Gimmiv. "They weren't the worst programmers ever, but it seemed like this was put together quickly. It almost felt like a half-finished program."

Stewart found lots of debug code in Gimmiv, as well as code that led nowhere. "Sections were supposed to do something, but never did," he said. "For example, it pings a Web site in China and then if that's not available, Google. It sends a special pattern in the ping but doesn't do anything with the results.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Topics: trojan, microsoft patches
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?