Blast from the past: application of the MS08-067 exploit in real world malware

Elda Dimakiling Microsoft
Francis Allan Tan Seng Microsoft
Scott Wu Microsoft

Every so often, a vulnerability is discovered in an operating system that makes it possible for attackers to exploit widely used systems. Such a vulnerability discovered last year was the Server service vulnerability, which was resolved with the MS08-067 security update. This vulnerability could allow remote code execution when a specially crafted RPC request is incorrectly handled by the Server service, making it a possibly wormable exploit similar to what was seen with the Blaster and Sasser worms.

This paper discusses how the exploit was used by different malware families, from simple trojans that conduct targeted attacks, to worms, such as the well-known Conficker, that infect entire networks. It presents relevant telemetry, including data from the Malicious Software Removal Tool, regarding the spread and impact of some of these malware families on different regions and versions of the Windows operating system. In addition, the paper provides insights into the industry effort in disabling domains targeted by Conficker as well as the $250,000 Microsoft reward for the arrest and conviction of those responsible for Conficker. It also makes observations and recommendations on Microsoft security update practices when dealing with such widespread impact, incorporating technologies such as Windows Update, Windows Server Update Services, and Windows Security Center.

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

Malware Prevalence
Adware-misc |##########|
Java-Exploit |########|
Autorun |#####|
BHO/Toolbar-misc |####|
Conficker/Downadup |###|
 View this month's full report

Virus Bulletin currently has 231,355 registered users.