SECFORCE          
   
HOME COMPANY SERVICES RESEARCH BLOG NEWS & EVENTS PRESS OFFICE CONTACT
 
    Blog  
    Home : Blog  
   
Posts Tagged ‘MS08-067’
 

MS vulnerabilities and worms

Friday, October 24th, 2008

Time between vulnerability disclosure and worm spread has been drastically reduced.

The MS08-067 vulnerability has been published some hours ago. Microsoft rated this vulnerability as critical, as a remote unauthenticated attacker could exploit it to execute arbitrary code in the vulnerable host.

This vulnerability is caused due to a bug in the Windows Server service handling a crafted RPC request.

The vulnerability affects almost all the Windows operating systems family, with some differences. On Windows 2000, XP and 2003 an attacker could exploit this vulnerability without the need of a username and password. However, the exploitation in Windows Vista and Windows Server 2008 requires a valid username and password.

The really interesting thing about all of this is that Microsoft published the following in its Security Bulleting:

It is possible that this vulnerability could be used in the crafting of a wormable exploit.

Just after a few hours reliable exploits are already available and what is more, a worm has been already found in the wild exploting this vulnerability.

The name of the worm is Gimmiv.A and uses this vulnerability to spread over the network. On infection, the worm injects two DLLs into the services.exe address space. After that, the worm retrieves information from the compromised host (including passwords from the Windows protected storage) and posts it in encrypted form to a remote host.

The worm posts the details to a number of hosts, including http://perlbody.t35.com/

At the time of writing the host is up and running and contains details of 3779 hosts stored int the http://perlbody.t35.com/icon.txt file.

The worm also downloads the following image stored on the http://perlbody.t35.com/ server:

Microsoft and SECFORCE recommends that customers apply the update immediately as other versions of worms exploiting this vulnerability are likely to be released.

Tags: , , ,
Posted in Vulnerabilities | 1 Comment »

 
   
 
BLOG

Archives

January 2012
October 2011
September 2011
July 2011
June 2011
April 2011
February 2011
January 2011
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
Categories
Business Continuity (1)
CREST (1)
exploit (3)
Fuzzing (1)
Penetration Testing (21)
Phishing (2)
Risk Management (4)
SECFORCE (8)
Security Books (1)
Security Compliance (1)
Security research (2)
sql injection (1)
SQL Server (1)
Tools (7)
Vulnerabilities (6)
  
  Copyright (c) 2012 SECFORCE Ltd
All Rights Reserved		 Suite 11, Beaufort Court, Admirals Way
E14 9XL London		 SECFORCE is CREST certified. Click on the logo for more informationISO9001+44 (0) 845 056 8694