MS08-067 Used to Drop DDoS Bots

Earlier today we were informed about a bot that we’ve seen before, KernelBot, being dropped by an exploit tool for MS08-067. The exploit code is “67.exe”, and the bot itself is “6767.exe”. KernelBot is a Chinese origin DDoS bot run by someone we think uses the handle IceKernel; he even names his project KernelBot: d:\Works\KernelBots_Up28\Server\Release\Server.pdb. We first became aware of this bot during the CNN.Com attacks earlier this year; some researchers we were working with brought it to our attention. Since then we’ve been watching this guy’s activities and seen a handful of DDoS targets, but most of them are Baidu. It’s nice to see most of the AV vendors have finally caught up and added detection.

If you want to stop this one, you should block all web access to the domain ushealthmart.com. It’s using a few hosts under that domain name to spread and send out configurations.

We are not seeing significant exploit activity around the CVE-2008-4250 vulnerability still, something that’s a bit unexpected given the number of PoC codes available.

KernelBot can send ICMP, TCP SYN, UDP, and even HTTP flood attacks, among others. It communicates with a server to retrieve the file, usually named “cmd.txt”, which itself is a large INI file describing attacks and next actions. The bot itself doesn’t have any mechanisms to spread, so the exploit code is used to cajole victims into downloading it.