Blast from the past: application of the MS08-067 exploit in real world malware

Elda Dimakiling Microsoft
Francis Allan Tan Seng Microsoft
Scott Wu Microsoft

Every so often, a vulnerability is discovered in an operating system that makes it possible for attackers to exploit widely used systems. Such a vulnerability discovered last year was the Server service vulnerability, which was resolved with the MS08-067 security update. This vulnerability could allow remote code execution when a specially crafted RPC request is incorrectly handled by the Server service, making it a possibly wormable exploit similar to what was seen with the Blaster and Sasser worms.

This paper discusses how the exploit was used by different malware families, from simple trojans that conduct targeted attacks, to worms, such as the well-known Conficker, that infect entire networks. It presents relevant telemetry, including data from the Malicious Software Removal Tool, regarding the spread and impact of some of these malware families on different regions and versions of the Windows operating system. In addition, the paper provides insights into the industry effort in disabling domains targeted by Conficker as well as the $250,000 Microsoft reward for the arrest and conviction of those responsible for Conficker. It also makes observations and recommendations on Microsoft security update practices when dealing with such widespread impact, incorporating technologies such as Windows Update, Windows Server Update Services, and Windows Security Center.  digg this! digg this

Quick Links

Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

SMI Oil and Gas Cyber Security 2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,292 registered users.