Elda Dimakiling Microsoft
Francis Allan Tan Seng Microsoft
Scott Wu Microsoft
Every so often, a vulnerability is discovered in an operating system that makes it possible for attackers to exploit widely used systems. Such a vulnerability discovered last year was the Server service vulnerability, which was resolved with the MS08-067 security update. This vulnerability could allow remote code execution when a specially crafted RPC request is incorrectly handled by the Server service, making it a possibly wormable exploit similar to what was seen with the Blaster and Sasser worms.
This paper discusses how the exploit was used by different malware families, from simple trojans that conduct targeted attacks, to worms, such as the well-known Conficker, that infect entire networks. It presents relevant telemetry, including data from the Malicious Software Removal Tool, regarding the spread and impact of some of these malware families on different regions and versions of the Windows operating system. In addition, the paper provides insights into the industry effort in disabling domains targeted by Conficker as well as the $250,000 Microsoft reward for the arrest and conviction of those responsible for Conficker. It also makes observations and recommendations on Microsoft security update practices when dealing with such widespread impact, incorporating technologies such as Windows Update, Windows Server Update Services, and Windows Security Center.