Blast from the past: application of the MS08-067 exploit in real world malware
Elda Dimakiling Microsoft
Francis Allan Tan Seng Microsoft
Scott Wu Microsoft
Every so often, a vulnerability is discovered in an operating system that makes it possible for attackers to exploit
widely used systems. Such a vulnerability discovered last year was the Server service vulnerability, which was resolved
with the MS08-067 security update. This vulnerability could allow remote code execution when a specially crafted RPC
request is incorrectly handled by the Server service, making it a possibly wormable exploit similar to what was seen
with the Blaster and Sasser worms.
This paper discusses how the exploit was used by different malware families, from simple trojans that conduct targeted
attacks, to worms, such as the well-known Conficker, that infect entire networks. It presents relevant telemetry,
including data from the Malicious Software Removal Tool, regarding the spread and impact of some of these malware
families on different regions and versions of the Windows operating system. In addition, the paper provides
insights into the industry effort in disabling domains targeted by Conficker as well as the $250,000 Microsoft
reward for the arrest and conviction of those responsible for Conficker. It also makes observations and
recommendations on Microsoft security update practices when dealing with such widespread impact, incorporating
technologies such as Windows Update, Windows Server Update Services, and Windows Security Center.
This month VB's test team put 26 products to the test on
Windows Server 2008. John Hawes has the full results.