MS08-067 Attacks : Conflicker Worm

MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008. The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.

While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes. For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet. If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.

This new worm represents the most advanced MS08-067 attacks to date. As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update.

New malware using an ms08-067 exploit gained momentum
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://isc.sans.org/diary.html?storyid=5401

QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

W32/Conficker.worm Detailed Information
http://vil.nai.com/vil/content/v_153464.htm
http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=P
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A

Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/blog/DOWNAD123.jpg

PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases. Home users can employ the Windows Update process. More information can be found in the link below:

MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Source: Harry Waldron - Corporate and Home Security(Blog)

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Security Bulletin Minor Revisions

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: December 17, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS08-072 - Critical
* MS08-069 - Critical

Bulletin Information:
=====================

* MS08-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-072.mspx
- Reason for Revision: V1.1 (December 17, 2008): Changed the
Microsoft Baseline Security Analyzer deployment summary to
"no" for Microsoft Office Word 2000 Service Pack 3 in the
Detection and Deployment Tools and Guidance section. Also,
revised the bulletins replaced by this update for Microsoft
Office Outlook 2007 and Microsoft Office Outlook 2007 Service
Pack 1 in the Affected Software table. There were no changes
to the security update binaries.
- Originally posted: December 9, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS08-069 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms08-069.mspx
- Reason for Revision: V1.2 (December 17, 2008): Added log file
entries in the Security Update Deployment section Reference
table for Microsoft XML Core Services 6.0 when installed on
Windows Server 2003 Service Pack 1, Windows Server 2003
Service Pack 2, Windows Server 2003 x64 Edition, and Windows
Server 2003 x64 Edition Service Pack 2.
- Originally posted: November 11, 2008
- Updated: December 17, 2008
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Security Advisory (960906)

Microsoft Security Advisory (960906)
Vulnerability in WordPad Text Converter Could Allow Remote Code Execution
Published: December 9, 2008
Microsoft is investigating new reports of a vulnerability in the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Windows XP Service Pack 3, Windows Vista, and Windows Server 2008 are not affected as these operating systems do not contain the vulnerable code.
Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability. Additionally, as the issue has not been publicly disclosed broadly, we believe the risk at this time to be limited.
We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests. This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed.
Customers who believe that they have been attacked can obtain security support at Get security support and should contact the national law enforcement agency in their country. Customers in the United States can contact Customer Service and Support at no charge using the PC Safety hotline at 1-866-PCSAFETY. Additionally, customers in the United States should contact their local FBI office or report their situation at Internet Crime Complaint Center.
Microsoft continues to encourage customers to follow the "Protect Your Computer" guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.
Mitigating Factors:
•
This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.
•
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
•
The vulnerability cannot be exploited automatically through e-mail. For an attack to be successful, a user must open an attachment that is sent in an e-mail message.
•
When Microsoft Office Word is installed, Word 97 documents are by default opened using Microsoft Office Word, which is not affected by this vulnerability. However, an attacker could rename a malicious file to have a Windows Write (.wri) extension, which would still invoke WordPad. This file type can be blocked at the Internet perimeter.

Microsoft Security Bulletin Major RevisionsIssued: December 9, 2008

********************************************************************
Title:
********************************************************************
Summary=======
The following bulletins have undergone a major revision increment.Please see the appropriate bulletin for more details.
* MS08-052 - Critical

Bulletin Information:=====================
* MS08-052 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx - Reason for Revision: V3.0 (December 9, 2008): Added Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1, Microsoft Expression Web and Microsoft Expression Web 2, and Microsoft Office Groove Server 2007 as Affected Software. Also detailed a detection change for Microsoft SQL Server 2005 Service Pack 2 in the "Why was this bulletin revised on December 9, 2008?" entry in the Frequently Asked Questions (FAQ) Related to this Security Update section. - Originally posted: September 9, 2008 - Updated: December 9, 2008 - Bulletin Severity Rating: Critical - Version: 3.0

Not Installing MS08-067 Cause for Growing Botnet

As I reported a few weeks back on both my blog and the SecurityOrb.com website, the worm titled WORM_DOWNAD.A continues to cause wide spread security issues in the Microsoft platform. It has been estimated that over 500,000 systems running MS Windows has been infected around the world and the amount continues to increase.

It is recommended that system administrators and users install the Microsoft patch MS08-067 update to protect against this worm.

Vista Service Pack 2 in First Quater 2009

SecurityOrb.com researchers stated at an interview Microsoft will post a release candidate of Vista SP2 in first quarter of 2009 and finish the service pack next April.

According to Microsoft, Vista SP2 will include Windows Search 4, Bluetooth 2.1 wireless support, faster resume from sleep when a wireless connection has been broken and support for Blu-ray. Some of those features, including Windows Search and the Bluetooth support, have been available to Vista users for months through individual updates.

The service pack will update both Vista, the client version of Windows, and Windows Server 2008, the company's corresponding server software.

Vista SP2 will require SP1 as a prerequisite, a factor that played to Microsoft's ongoing recommendation that users deploy the first service pack as soon as possible.

MS08-067 - Worm is Attacking Windows Security Hole

Security researchers at Microsoft Corp. Tuesday warned of a significant climb in exploits of a Windows bug it patched with an emergency fix last month, confirming earlier reports by Symantec Corp.

Improving Gramm-Leach Bliley Security Compliance - read this white paper.

Microsoft again urged users to apply the MS08-067 patch if they have not already done so.

The new attacks, which Microsoft's Malware Protection Center said began over the weekend but spiked in the past two days, use the same worm Symantec first spotted last Friday.

Dubbed "Conficker.a" by Microsoft and "Downadup" by Symantec, the worm exploits the vulnerability in the Windows Server service, used by all versions of the operating system to connect to file and print servers on a network. Microsoft patched the bug in an out-of-cycle update five weeks ago after it discovered a small number of infected PCs, most of them in Southeast Asia.

Full article at InfoWorld.com

XP SP3 Issues

FYI, SANS Diary just posted an entry on XP SP3 Issues at

http://isc.sans.org/diary.html?storyid=4429

"According to an article published by Information Week, the newly released 

XP SP3 is causing systems to blue screen (aka BSOD) on AMD based systems. 

Microsoft and HP seem to think its center around the Power Managment 

feature.

http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207800691

Here is an example of a message you might receive:

A problem has been detected and Windows has been shut down to prevent 

damage to your computer...

Technical information:

*** STOP: 0x0000007E (0xC0000005, 0xFC5CCAF3, 0xFC90F8C0, 0xFC90F5C0

SYSTEM_THREAD_EXCEPTION_NOT_HANDLED

HP has posted a work around that has you go boot into Safe Mode and 

disable the Intel Power Management.

http://h10025.www1.hp.com/ewfrf/wc/genericDocument?lc=en&cc=us&docname=c01457284&dlc=en&printable=yes&encodeUrl=true&

UPDATE

------

ISC contributors also sent in links to a blog by Jesper Johansson. The 

blog contains loads of information on the issue and a link to Jesper's 

"small tool that will detect the IntelPPM problem and mitigate it before 

installing the service pack".

For free SP3 MS support call (866) 234-6020 ("Free unlimited installation 

and compatibility support is available for Windows XP, but only for 

Service Pack 3 (SP3). This support for SP3 is valid until April 14, 

2009)."

And an older diary entry notes the following wrt XP-SP3:

"retrofits some of the Vista functionality into XP, namely in the area of 

Network Access Protection, Black Hole Router Detection, enhanced security 

for administrator and service policy entries (basically some better 

default settings) and a kernel mode crypto driver.  Additionally, some of 

the "optional" updates released since SP2 will be installed with SP3 (MMC 

3.0, MXSXML6, WPA2 support, etc)." 

http://isc.sans.org/diary.html?storyid=4387

Problems with Microsoft Windows XP SP3

Microsoft has released Service Pack 3 for Windows XP.  Unsurprisingly, it's having some problems.

The biggest problem is that some systems reboot endlessly, ending in blue screens every time.  Microsoft says in KB888372 that this happens when an AMD-based system has a disk image originally developed on an Intel-based system.  Apparently, many HP systems did this, although HP wasn't commenting.  This configuration dies in SP3 because that section of the registry isn't used anymore ("orphaned"), and the system ends up trying to load both the AMD and the Intel drivers.  Bad things happen after that.

This shouldn't be a problem with Dell computers, they stick to Intel - but keep it in mind for any AMD-based XP systems you know about.  The KnowledgeBase article, I'm told, has instructions for preventing this from happening, or for fixing it afterwards, provided you can find away to boot into Safe mode.

Good luck and get a Mac or Linux-Based system.

Microsoft Security Bulletin Advance Notification for May 2008

********************************************************************
Microsoft Security Bulletin Advance Notification for May 2008
Issued: May 8, 2008
********************************************************************

This is an advance notification of security bulletins that
Microsoft is intending to release on May 13, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for May 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx.

This bulletin advance notification will be replaced with the
May bulletin summary on May 13, 2008. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, May 14, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the May
Security Bulletin Webcast at
http://www.microsoft.com /technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:

Critical Security Bulletins
===========================

Word Bulletin

- Affected Software:
- Microsoft Word 2000 Service Pack 3
- Microsoft Word 2002 Service Pack 3
- Microsoft Word 2003 Service Pack 2
- Microsoft Word 2003 Service Pack 3
- Microsoft Word 2007
- Microsoft Outlook 2007
- Microsoft Word 2007 Service Pack 1
- Microsoft Outlook 2007 Service Pack 1
- Microsoft Office 2004 for Mac
- Microsoft Office 2008 for Mac
- Microsoft Word Viewer 2003
- Microsoft Word Viewer 2003 Service Pack 3
- Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats
- Microsoft Office Compatibility Pack for Word, Excel, and
PowerPoint 2007 File Formats Service Pack 1

- Impact: Remote Code Execution
- Version Number: 1.0

Publisher Bulletin

- Affected Software:
- Microsoft Publisher 2000 Service Pack 3
- Microsoft Publisher 2002 Service Pack 3
- Microsoft Publisher 2003 Service Pack 2
- Microsoft Publisher 2003 Service Pack 3
- Microsoft Publisher 2007
- Microsoft Publisher 2007 Service Pack 1

- Impact: Remote Code Execution
- Version Number: 1.0

Jet Bulletin

- Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 2
- Windows XP Professional x64 Edition
- Windows Server 2003 Service Pack 1
- Windows Server 2003 x64 Edition
- Windows Server 2003 with SP1 for Itanium-based Systems

- Impact: Remote Code Execution
- Version Number: 1.0


Moderate Security Bulletins
============================

Security Software Bulletin

- Affected Software:
- Windows Live OneCare
- Microsoft Antigen for Exchange
- Microsoft Antigen for SMTP Gateway
- Microsoft Windows Defender
- Microsoft Forefront Client Security
- Microsoft Forefront Security for Exchange Server
- Microsoft Forefront Security for SharePoint
- Standalone System Sweeper located in Diagnostics and Recovery
Toolset 6.0

- Impact: Denial of Service
- Version Number: 1.0


Other Information
=================

Microsoft Windows Malicious Software Removal Tool:
==================================================
Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:
========================================================
Please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
Article 894199, Description of Software Update Services and
Windows Server Update Services changes in content for 2008.
Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
Revised, and Released Updates for Microsoft Products Other Than
Microsoft Windows

Recognize and avoid fraudulent e-mail to Microsoft customers:
=============================================================
If you receive an e-mail message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious Web sites. Microsoft does
not distribute security updates via e-mail.

The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security bulletins, or
installing security updates. You can obtain the MSRC public PGP key
at
https://www.microsoft.com/technet/security/bulletin/pgp.mspx.

To receive automatic notifications whenever
Microsoft Security Bulletins are issued, subscribe to Microsoft
Technical Security Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

Microsoft Security Bulletin Advance Notification for April 2008

FYI, http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx states that next Tuesday April 8, 2008 Microsoft is planning to release 8 security related patches/updates:

- 5 CRITICAL Security Bulletins affecting Windows, IE and Office which all have a possible impact of remote code execution

- 3 Important Security Bulletins affecting Windows and Office, impacts range from spoofing and elevation of privilege to remote code execution