Attackers are using the Server Message Block (SMB) Worm Tool in targeted attacks that could allow attackers to execute arbitrary code, access sensitive information, or cause a denial of service (DoS) condition.
When a targeted system is infected with the SMB Worm Tool, the malware can self-propagate throughout the network in which the infected system resides by using a brute-force authentication attack method via Windows SMB shares. In addition to the ability to self-propagate throughout a targeted network, the malware has various tools and services such as a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and a Destructive Target Cleaning Tool. These tools and services further could allow an attacker to execute arbitrary code, access sensitive information, wipe the hard drive, or overwrite the master boot record on infected systems in a targeted network, resulting in a DoS condition.
The SMB Worm Tool only affects systems running on Microsoft Windows platforms.
US-CERT has released a security alert at the following link: TA14-353A
Administrators are advised to review Security Tip ST13-003 at the following link: Handling Destructive Malware
Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.
Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.