微点交流论坛

标题: 发现溢出ms08067网络入侵微点报警! 我们的微点保卫我们，抵御微软最新漏洞攻击 [打印本页]

作者: 点饭的百度空间 时间: 2008-10-30 11:00 标题: 发现溢出ms08067网络入侵微点报警! 我们的微点保卫我们，抵御微软最新漏洞攻击

微软4年来最强漏洞来了! 当年的RPC漏洞重现危害类似"冲击波"

微软在2008年10月24日凌晨太平洋标准时间下午1点举行网络直播会议紧急发布一个最高级别为严重的安全补丁ms08-067,用以修复已发现的Windows Server service 的漏洞并可能被利用于远程攻击或散播蠕虫. 攻击成功者可能获取系统的完全控制权限.

微软系统这一安全漏洞可影响包括Ｗｉｎｄｏｗｓ　ＸＰ、Ｗｉｎｄｏｗｓ　２０００、Ｗｉｎｄｏｗｓ　Ｓｅｒｖｅｒ　２００３、Ｗｉｎｄｏｗｓ　Ｖｉｓｔａ等几乎所有主流操作系统。黑客可以利用此漏洞发动大规模远程攻击，实际效果可与“冲击波”“震荡波”等病毒类似。

“冲击波”病毒于２００３年８月首次爆发，１小时内就造成全球上百万台电脑瘫痪。中毒电脑的系统资源被大量占用，有时会弹出ＲＰＣ服务终止的对话框，并且系统反复重启，不能收发邮件、不能正常复制文件、无法正常浏览网页，复制粘贴等操作受到严重影响。

NOTICE: October 23, 2008: Today the MSRC released Security Bulletin MS08-067. For more information on this bulletin, and to stay protected get the latest information from the MMPC here on our blog: http://blogs.technet.com/mmpc/ar ... -protected-now.aspx

Get Protected, Now!
Thursday, October 23, 2008 10:00 AM by mmpc

We have detection for the current attacks. Its name is Exploit:Win32/MS08067.gen!A and it is included in VDM update version 1.45.1012.0 and higher. We released these VDMs this morning shortly after 10 AM PDT. These current attacks will be detected when the attack file is copied to the victim’s computer, for example, as part of its self replication. Note that we are not aware of any self replicating malware that is exploiting this vulnerability at the moment. This update can detect the current attacks and we will continue to update should more be created. Our team, the Microsoft Malware Protection Center, is on the alert and is closely monitoring the situation.

Currently, attacks try to download a trojan named n2.exe to the victim’s computer and there are now two different versions of this binary. Our products are able to detect both files as TrojanSpy:Win32/Gimmiv.A. This trojan drops another DLL that we detect as TrojanSpy:Win32/Gimmiv.A.dll. The malware deletes itself after it executes so you may not find it even on systems that were previously infected. Our products provide real-time protection that will block that malware from being copied to the hard drive. You can read more details about this malware in our encyclopedia write ups.

So get protected, and the sooner, the better.

文章来自微软Microsoft® Malware Protection Center官方BLOG
链接地址：http://blogs.technet.com/mmpc/ar ... -protected-now.aspx

Our Micropoint protect us against Microsoft Security Hole-MS08067

:)微点试用版预升级应该都可以硬防还记的当年的“冲击波”病毒吗？在不安装更新微软Windows漏洞补丁的情况下，第一时间微点主动防御软件就能够抵挡威胁！！

有兴趣的朋友可自行测试 xp sp2始终是溢出就崩溃，寒！一直没找到可以成功执行ShellCode的，还是SP3比较好或者是差！对比上面两张图，可见sp2还是安全的，幸亏没用什么sp3
MS08-067溢出环境：
lanmanworkstation服务开启（默认）
server服务开启（默认）
Browser服务开启（默认）
windows默认防火墙禁用。。。貌似装了某些杀毒软件会自动禁用的，所以不说了。。。。

对于未使用微点主动防御软件的用户，个人建议：
1、开启windows自动更新，及时打好漏洞补丁应用更新:http://bbs.micropoint.com.cn/showthread.asp?tid=43026&fpage=1

2、不要在不明站点下载非官方版本的软件进行安装，避免病毒通过捆绑的方式进入您的系统。黑屏病毒专题报道：小心黑屏行动酿成黑客风暴：http://hi.baidu.com/micropoint/b ... 8b121790ef39f7.html 安装微点主动防御类软件，该软件是解决此类病毒最有效的方法。

Summary
Exploit:Win32/MS08067.gen!A is a generic detection for code that attempts to exploit a vulnerability in SVCHOST.EXE. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

On targeted hosts running Windows 2003, XP, 2000 or NT, this remote attack may be performed by an unauthenticated user. Successful exploitation of the vulnerability on systems with default installations of Windows Vista and Windows Server 2008 require authentication due to protections introduced as part of user access control (UAC) that enforce additional levels of integrity.

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.

Symptoms
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).