It's nearly been a couple of weeks since Microsoft released their patch for the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874). This problem was rated as such a serious risk that Microsoft took the extraordinary step to release an out-of-band patch for it.
There was much speculation as to how and when it was going to be used in worms or other malicious code. Unfortunately, we didn't have to wait long for the first one to appear. First we saw Trojan.Gimmiv.A, which appeared to be already in the wild when the patch was released. However, that Trojan never really got around very far due to its weak method of propagation—manually controlled by the attackers through a channel that was quickly shut down.
Then there was a lull. So we waited. And, we waited. Sometimes waiting for these new malicious code samples to appear is like waiting for the bus. You wait for an age and then out of nowhere comes two or more of them. (Of course, the bus is always full.) Today our wait was over. First we received reports of a new malware targeting users of Chinese versions of Windows 2000. The malware that we detect as W32.Wecorl was first picked up by our honeypots that are based in China.
The second of the new arrivals is W32.Kernelbot.A. This is a worm with bot functionality. We managed to retrieve the configuration file for this botnet (cmd.txt) and it currently contains locations for downloading additional modules (including the propagation and exploit unit) and instructions to perform DDoS attacks against various websites.
Fortunately at this stage, these worms have implemented the exploit as an external module file that has to be downloaded first. Blocking the following addresses may help to prevent their propagation:
• 10Wrj.com
• zz.ushealthmart.com
So, as you can see, we've had a little bit of a window of calm since the original patches were released. However, that window has well and truly slammed shut and we are now seeing more successful and widespread use of this vulnerability by malware in the wild. If you haven't already patched yet, perhaps the appearance of these latest terrible twins will help you to seriously consider doing so.