Windows Server 最新漏洞传播的病毒Win32/MS08067.gen!A 已经出现 (转载)

文章来自微软Microsoft® Malware Protection Center官方BLOG

链接地址:http://blogs.technet.com/mmpc/archive/2008/10/23/get-protected-now.aspx

Get Protected, Now!

Microsoft released a security update today that fixes a vulnerability that affects all supported versions of Windows. On some versions of Windows, an unauthenticated attacker can remotely execute code on a vulnerable computer. Basically if file sharing is enabled and the security update is not installed yet, the computer is vulnerable. File sharing is enabled in several scenarios though it is disabled by default in XP SP2 and newer operating systems. See the "Security Vulnerability Research & Defense" blog for further information. Security Bulletin MS08-067 also provides more details. Microsoft strongly recommends that you update your computer(s) immediately.

We are already seeing a small number of attacks using this vulnerability. The situation can change now that the security update is public. We have seen cases in the past where information on how to exploit a newly updated vulnerability was posted to the web only a few days, or even hours, after a security update is released. Did we already mention that we recommend you quickly install the security update?

We have detection for the current attacks. Its name is Exploit:Win32/MS08067.gen!A and it is included in VDM update version 1.45.1012.0 and higher. We released these VDMs this morning shortly after 10 AM PDT. These current attacks will be detected when the attack file is copied to the victim’s computer, for example, as part of its self replication. Note that we are not aware of any self replicating malware that is exploiting this vulnerability at the moment. This update can detect the current attacks and we will continue to update should more be created. Our team, the Microsoft Malware Protection Center, is on the alert and is closely monitoring the situation.

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive.  You can read more details about this malware in our encyclopedia write ups.

Windows Live OneCare safety scanner, Windows Live OneCare and the various Forefront products include these detections. If you believe that you identified new malware that is exploiting this vulnerability, or other malware, please let us know by submitting that file to our portal.

So get protected, and the sooner, the better.

Ziv Mador
Microsoft Malware Protection Center
Anonymous comments are disabled


Details: http://bbs.micropoint.com.cn/showthread.asp?tid=43026&fpage=1

# milw0rm.com [2008-10-23]
hxxp://www.milw0rm.com/exploits/6824

In vstudio command prompt:

   mk.bat

next:

   attach debugger to services.exe (2k) or the relevant svchost (xp/
2k3/...)

   net use \\IPADDRESS\IPC$ /user:user creds
   die \\IPADDRESS \pipe\srvsvc

   In some cases, /user:"" "", will suffice (i.e., anonymous
connection)


You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc.   However, in some cases, you will
get
nothing.


This is because it depends on the state of the stack prior to the
"overflow".
You need a slash on the stack prior to the input buffer.


So play around a bit, you'll get it working reliably...


posted on 2008-11-30 21:01 HQ 阅读(534) 评论(0)  编辑 收藏 引用

只有注册用户登录后才能发表评论。

导航

统计

常用链接

留言簿(2)

随笔档案(7)

文章分类(14)

相册

搜索

积分与排名

最新评论

阅读排行榜

评论排行榜