Blast from the past: application of the MS08-067 exploit in real world malware

Elda Dimakiling Microsoft
Francis Allan Tan Seng Microsoft
Scott Wu Microsoft

Every so often, a vulnerability is discovered in an operating system that makes it possible for attackers to exploit widely used systems. Such a vulnerability discovered last year was the Server service vulnerability, which was resolved with the MS08-067 security update. This vulnerability could allow remote code execution when a specially crafted RPC request is incorrectly handled by the Server service, making it a possibly wormable exploit similar to what was seen with the Blaster and Sasser worms.

This paper discusses how the exploit was used by different malware families, from simple trojans that conduct targeted attacks, to worms, such as the well-known Conficker, that infect entire networks. It presents relevant telemetry, including data from the Malicious Software Removal Tool, regarding the spread and impact of some of these malware families on different regions and versions of the Windows operating system. In addition, the paper provides insights into the industry effort in disabling domains targeted by Conficker as well as the $250,000 Microsoft reward for the arrest and conviction of those responsible for Conficker. It also makes observations and recommendations on Microsoft security update practices when dealing with such widespread impact, incorporating technologies such as Windows Update, Windows Server Update Services, and Windows Security Center.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.