Just over a week ago, Microsoft issued MS08-067 as an out-of-band patch to fix a critical flaw that could allow a remote attacker to take over Windows computers without any user interaction. The flaw has to do with the way the Microsoft Windows server service handles Remote Procedure Call requests.
Christopher Budd, a Microsoft Security Response Center program manager, said in a blog post that "the vulnerability is potentially wormable" on older versions of Windows. And other security researchers echoed his concern.
It now appears such concerns were well-founded. Proof-of-concept binaries designed to exploit MS08-067 appeared last week.
And on Monday, F-Secure said it had received reports of a worm designed to exploit MS08-067 in the wild.
"We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability," the company said on its blog. "The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi. The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration."
F-Secure also identified the worm component as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.
Other vendors may use different names to identify the malware.
In its Security Intelligence Report for the first half of 2008, Microsoft on Monday said, "The most common system locale for victims of browser-based exploits was Chinese, accounting for 47% of all incidents, followed by U.S. English with 23% of incidents." It also said that Trojan downloaders and droppers accounted for more than 30% of all malware removed from computers by Microsoft security products worldwide.