[prev in list] [next in list] [prev in thread] [next in thread]
List: patchmanagement
Subject: MS08-067 Exploit gaining momentum
From: "Pasquale Pescatore" <ppescatore () gmail ! com>
Date: 2008-11-26 22:07:28
Message-ID: a9d94eb0811261407l3ba718f6m71297d5a996785d2 () mail ! gmail ! com
[Download RAW message or body]
Just pulled this off SANS Internet Storm Center
Pasquale
MS - new malware using an ms08-067 exploit gained
momentum<http://isc.sans.org/diary.html?storyid=5401>
Published: 2008-11-26,
Last Updated: 2008-11-26 16:32:58 UTC
by Patrick Nolan (Version: 1)
0 comment(s) <http://isc.sans.org/diary.html?storyid=5401#comment>
In Tuesday's blog "More MS08-067
Exploits<http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx>"
Microsoft said that new malware using an ms08-067 exploit "gained momentum
and as a result we see an increased support call volume". The article and
other writeups related to this particular malware have similar information,
some information not contained in each writeup includes;
Symantec W32.Downadup<http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2>
...."the worm deletes any user-created System Restore points"...
...."the worm attempts to contact the following sites to obtain the current
date:
* http://www.w3.org
* http://www.ask.com
* http://www.msn.com
* http://www.yahoo.com
* http://www.google.com
* http://www.baidu.com
It uses the date information to generate a list of domain names.
The worm then contacts these domains in an attempt to download additional
files onto the compromised computer".
Microsoft Conflicker.A<http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A>
"Once a machine has been infected the worm will patch the exploited function
via a simple code hook in order to prevent re-infecting a machine it has
already compromised".
Other links;
F-Secure Worm:W32/Downadup.A<http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml>
CA Win32/Conficker.A<http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911>
---
When posting or replying to messages on this list, please send all
emails in plain text format. HTML formatted messages will not be accepted.
PatchManagement.org is hosted by Shavlik Technologies
To unsubscribe send a blank email to leave-patchmanagement@patchmanagement.org
If you are unable to unsubscribe via this email address, please email
owner-patchmanagement@patchmanagement.org
[Attachment #3 (text/html)]
<html>
<html>
<html>
<p> </p>
<p> </p>
<div class="headline">Just pulled this off SANS Internet Storm Center</div>
<div class="headline"> </div>
<div class="headline">Pasquale</div>
<div class="headline"> </div>
<div class="headline"><a href="http://isc.sans.org/diary.html?storyid=5401">MS - new \
malware using an ms08-067 exploit gained momentum</a> </div> <div \
class="diaryheader">Published: 2008-11-26,<br>Last Updated: 2008-11-26 16:32:58 \
UTC<br>by Patrick Nolan (Version: 1) </div><a \
href="http://isc.sans.org/diary.html?storyid=5401#comment">0 \
comment(s)</a><span></span><span></span> <span></span> <div class="diarybody">
<p>In Tuesday's blog "<a \
href="http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx">More \
MS08-067 Exploits</a>" Microsoft said that new malware using an ms08-067 exploit \
"gained momentum and as a result we see an increased support call volume". \
The article and other writeups related to this particular malware have similar \
information, some information not contained in each writeup includes;</p>
<p>Symantec <a href="http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2">W32.Downadup</a></p>
<p>...."<span style="COLOR: #993366">the worm deletes any user-created System \
Restore points</span>"...</p> <p>...."<span style="COLOR: #993366">the worm \
attempts to contact the following sites to obtain the current date:</span></p> \
<p><span style="COLOR: #993366"> * </span><a \
href="http://www.w3.org/"><span style="COLOR: \
#993366">http://www.w3.org</span></a><span style="COLOR: \
#993366"><br> * </span><a href="http://www.ask.com/"><span \
style="COLOR: #993366">http://www.ask.com</span></a><span style="COLOR: #993366"><br> \
* </span><a href="http://www.msn.com/"><span style="COLOR: \
#993366">http://www.msn.com</span></a><span style="COLOR: \
#993366"><br> * </span><a href="http://www.yahoo.com/"><span \
style="COLOR: #993366">http://www.yahoo.com</span></a><span style="COLOR: \
#993366"><br> * </span><a href="http://www.google.com/"><span \
style="COLOR: #993366">http://www.google.com</span></a><span style="COLOR: \
#993366"><br> * </span><a href="http://www.baidu.com/"><span \
style="COLOR: #993366">http://www.baidu.com</span></a></p>
<p><span style="COLOR: #993366">It uses the date information to generate a list of \
domain names.</span></p> <p><span style="COLOR: #993366">The worm then contacts these \
domains in an attempt to download additional files onto the compromised \
computer</span>".</p> <p>Microsoft <a \
href="http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A">Conflicker.A</a></p>
<p>"<span style="COLOR: #993366">Once a machine has been infected the worm will \
patch the exploited function via a simple code hook in order to prevent re-infecting \
a machine it has already compromised</span>".</p>
<p>Other links;</p>
<p>F-Secure <a href="http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml">Worm:W32/Downadup.A</a></p>
<p>CA <a href="http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911">Win32/Conficker.A</a></p></div>
<html>
<html>
<html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic