从昨天晚上开始,我家中的电脑开始出现以下现象:
输入网址、打开收藏夹中的URL或者点击Google搜索结果中的链接,都会间歇性的跳转到一个名为“http:///nhds/ipc.jsp?ref=1”的页面,按“后退”后可以回到要打开的网页,有时“后退”后网页会出现乱码,刷新一下就没问题了。保存了出现问题时的截图:
输入网址、打开收藏夹中的URL或者点击Google搜索结果中的链接,都会间歇性的跳转到一个名为“http:///nhds/ipc.jsp?ref=1”的页面,按“后退”后可以回到要打开的网页,有时“后退”后网页会出现乱码,刷新一下就没问题了。保存了出现问题时的截图:
刚刚看到F-Secure报告了一支利用MS08-067漏洞的蠕虫,F-Secure将这支蠕虫检测为Exploit.Win32.MS08-067.g。
根据F-Secure的描述,蠕虫会下载一个释放器Trojan-Dropper.Win32.Agent.yhi,释放器里包含了一个DDos-Bot。
根据F-Secure的描述,蠕虫会下载一个释放器Trojan-Dropper.Win32.Agent.yhi,释放器里包含了一个DDos-Bot。
引用
We've received the first reports of a worm capable of exploiting the MS08-067 vulnerability. The exploit payload downloads a dropper that we detect as Trojan-Dropper.Win32.Agent.yhi.
The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.
The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.
The dropped components include a kernel mode DDOS-bot that currently has a selection of Chinese targets in its configuration.
The worm component is detected as Exploit.Win32.MS08-067.g and the kernel component as Rootkit.Win32.KernelBot.dg.
This is Frequently Asked Questions document about new RPC vulnerability in Microsoft Windows. The document describes related Trojan malwares as well.
It is worth of noticing that code execution type vulnerabilities in Office programs are widely used to industrial espionage since 2006. This time the exploitation represents the use of non-Office vulnerabilities and e-mail attack vector is not used.
Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.
Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.
Q: What is the mechanism in exploitation?
A: Information was not disclosed, but drive-by download attacks, fake codec Web sites etc. are the very probable methods being used.
Update: It is confirmed that the exploits can download a malicious .exe automatically.
It is worth of noticing that code execution type vulnerabilities in Office programs are widely used to industrial espionage since 2006. This time the exploitation represents the use of non-Office vulnerabilities and e-mail attack vector is not used.
Q: What is the recent Microsoft Window RPC vulnerability disclosed in October?
A: This vulnerability is caused by an error when processing malformed RPC (Remote Procedure Call) requests. The issue was disclosed by the vendor after active exploitation of the vulnerability.
Q: How does the vulnerability mentioned works?
A: The vulnerability is code execution type vulnerability. Attacker successfully exploiting this vulnerability can run code of his or hers choice in the affected machine.
This vulnerability is caused due to overflow when handling malformed RPC requests. This enables executing arbitrary code of the attacker. Technically the vulnerability exists in the Server service.
Q: When this vulnerability was found?
A: The exact information is not available. Information about upcoming security update was announced on 22nd October, but this vulnerability has been used in targeted attacks at least two weeks already. The exploitation disclosed the existence of vulnerability.
Q: What is the mechanism in exploitation?
A: Information was not disclosed, but drive-by download attacks, fake codec Web sites etc. are the very probable methods being used.
Update: It is confirmed that the exploits can download a malicious .exe automatically.
北京时间今天凌晨,微软发布了一个紧急安全公告 MS08-067 ,这是一个计划外的严重等级的安全公告,足以引起大家的重视。
这个漏洞存在于系统的 Server 服务上,攻击者利用此漏洞可进行远程代码执行,受影响的操作系统涵盖 Windows 2000、Windows XP、Windows Server 2003、Windows Vista 和 Windows Server 2008 ,微软也针对不同的操作系统给了补丁不同的评级,在 Windows 2000、Windows XP、Windows Server 2003 系统上该漏洞被评为严重等级,在 Windows Vista 和 Windows Server 2008 系统上被评为重要。
根据目前掌握到的情况,利用此漏洞的病毒已于互联网上存在数日,漏洞 PoC 也已公布,那么,我们应该如何保护自己的系统不受外来侵害呢?
这个漏洞存在于系统的 Server 服务上,攻击者利用此漏洞可进行远程代码执行,受影响的操作系统涵盖 Windows 2000、Windows XP、Windows Server 2003、Windows Vista 和 Windows Server 2008 ,微软也针对不同的操作系统给了补丁不同的评级,在 Windows 2000、Windows XP、Windows Server 2003 系统上该漏洞被评为严重等级,在 Windows Vista 和 Windows Server 2008 系统上被评为重要。
根据目前掌握到的情况,利用此漏洞的病毒已于互联网上存在数日,漏洞 PoC 也已公布,那么,我们应该如何保护自己的系统不受外来侵害呢?
In vstudio command prompt:
mk.bat
next:
attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)
net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
In some cases, /user:"" "", will suffice (i.e., anonymous connection)
You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc. However, in some cases, you will get
nothing.
mk.bat
next:
attach debugger to services.exe (2k) or the relevant svchost (xp/2k3/...)
net use \\IPADDRESS\IPC$ /user:user creds
die \\IPADDRESS \pipe\srvsvc
In some cases, /user:"" "", will suffice (i.e., anonymous connection)
You should get EIP -> 00 78 00 78, a stack overflow (like a guard page
violation), access violation, etc. However, in some cases, you will get
nothing.
在微软发布本月安全补丁后的九天,微软再次发布一个计划外的紧急安全补丁——MS08-067。根据微软的报告,他们认为此漏洞可被蠕虫利用在Windows XP及更老的操作系统上。微软Onecare将此漏洞检测为Exploit:Win32/MS08067.gen!A。
同时,微软MSRC也捕获了利用此漏洞的病毒,将其检测为TrojanSpy:Win32/Gimmiv.A和TrojanSpy:Win32/Gimmiv.A.dll。
漏洞描述:
同时,微软MSRC也捕获了利用此漏洞的病毒,将其检测为TrojanSpy:Win32/Gimmiv.A和TrojanSpy:Win32/Gimmiv.A.dll。
漏洞描述:
昨天拿到一个样本,用户反应系统中的大量EXE文件无法运行,JPG,图片文件的文件名都变成xxx.jpg .exe这样的文件.
经过分析这是一个AV杀手的变种,可以破坏大量的EXE文件,JPG,GIF等图片文件,被破坏的程序及图片文件无法恢复.
病毒运行后会时不时弹出很多网游广告,怀疑是利用病毒进行网站推广以及赚取流量广告费的.
请用广大户小心!
目前中毒用户有上升的趋势,请大家务必及时更新杀毒软件
补充:此病毒还会删除.gho的文件..
2008.10.21 21.57分更新
经过分析这是一个AV杀手的变种,可以破坏大量的EXE文件,JPG,GIF等图片文件,被破坏的程序及图片文件无法恢复.
病毒运行后会时不时弹出很多网游广告,怀疑是利用病毒进行网站推广以及赚取流量广告费的.
请用广大户小心!
目前中毒用户有上升的趋势,请大家务必及时更新杀毒软件
补充:此病毒还会删除.gho的文件..
2008.10.21 21.57分更新
前些天,Adobe发布了一个关于Clickjacking的Security Advisory — APSA08-08。
今天,我看到Adobe发布了Adobe Flash Player 10,同时也注意到Adobe已经更新了Security Advisory,并建议用户将老版本的Adobe Flash Player升级到最新版本10.0.12.36。由此可见,Adobe Flash Player 10应当已解决了关于Clickjacking的漏洞。
今天,我看到Adobe发布了Adobe Flash Player 10,同时也注意到Adobe已经更新了Security Advisory,并建议用户将老版本的Adobe Flash Player升级到最新版本10.0.12.36。由此可见,Adobe Flash Player 10应当已解决了关于Clickjacking的漏洞。
引用
Solution
Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 in early November. This Security Bulletin will be updated once the Flash Player 9 update is available.
Adobe recommends all users of Adobe Flash Player 9.0.124.0 and earlier versions upgrade to the newest version 10.0.12.36 by downloading it from the Player Download Center, or by using the auto-update mechanism within the product when prompted. Adobe will be providing an update to Flash Player 9 for customers who cannot upgrade to Flash Player 10 in early November. This Security Bulletin will be updated once the Flash Player 9 update is available.
微软月补丁发布日又到了,这次共发布 11 个补丁及一个 ActiveX Kill Bit 累积安全更新:
Microsoft 安全通报 (956391)
ActiveX Kill Bit 的累积性安全更新
11 个补丁情况如下:严重 4 个、重要 6 个、中等 1 个。
严重:4 个
MS08-057 Microsoft Excel 中的漏洞可能允许远程执行代码 (956416)
MS08-058 Internet Explorer 的累积性安全更新 (956390)
MS08-059 Host Integration Server RPC 服务中的漏洞可能允许远程执行代码 (956695)
MS08-060 Active Directory 中的漏洞可能允许远程执行代码 (957280)
重要:6 个
MS08-061 Windows 内核中的漏洞可能允许特权提升 (954211)
MS08-062 Windows Internet 打印服务中的漏洞可能允许远程执行代码 (953155)
MS08-063 SMB 中的漏洞可能允许远程执行代码 (957095)
MS08-064 虚拟地址描述符操作中的漏洞可能允许特权提升 (956841)
MS08-065 消息队列中的漏洞可能允许远程执行代码 (951071)
MS08-066 Microsoft 辅助功能驱动程序中的漏洞可能允许特权提升 (956803)
中等:1 个
MS08-056 Microsoft Office 中的漏洞可能允许信息泄露 (957699)
具体内容可访问微软网站:
Microsoft 安全公告摘要(2008 年 10 月)
Microsoft 安全通报 (956391)
ActiveX Kill Bit 的累积性安全更新
11 个补丁情况如下:严重 4 个、重要 6 个、中等 1 个。
严重:4 个
MS08-057 Microsoft Excel 中的漏洞可能允许远程执行代码 (956416)
MS08-058 Internet Explorer 的累积性安全更新 (956390)
MS08-059 Host Integration Server RPC 服务中的漏洞可能允许远程执行代码 (956695)
MS08-060 Active Directory 中的漏洞可能允许远程执行代码 (957280)
重要:6 个
MS08-061 Windows 内核中的漏洞可能允许特权提升 (954211)
MS08-062 Windows Internet 打印服务中的漏洞可能允许远程执行代码 (953155)
MS08-063 SMB 中的漏洞可能允许远程执行代码 (957095)
MS08-064 虚拟地址描述符操作中的漏洞可能允许特权提升 (956841)
MS08-065 消息队列中的漏洞可能允许远程执行代码 (951071)
MS08-066 Microsoft 辅助功能驱动程序中的漏洞可能允许特权提升 (956803)
中等:1 个
MS08-056 Microsoft Office 中的漏洞可能允许信息泄露 (957699)
具体内容可访问微软网站:
Microsoft 安全公告摘要(2008 年 10 月)
微软今天发布了一个Security Advisory—— 951306,说得是Windows的漏洞可以允许提权至LocalSystem。看一下微软的相关描述:
引用
Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows XP Professional Service Pack 3, and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
