First Windows 7 Exploit

Discussion in 'malware problems & news' started by Dogbiscuit, Nov 13, 2009.

Thread Status:
Not open for further replies.
  1. Dogbiscuit

    Dogbiscuit Guest

    Article
     
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Considering what massive hit Windows 7 has been so far, I'm surprised it's taken this long to find one! I'll be upgrading to windows 7 soon and I can't wait. :)
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    From the article:

    Note that these ports are constantly probed, as a search of your firewall logs will show:

    kerio-135.gif

    kerio-139.gif

    Note also that these ports were the ones that Conficker exploited. A MSDN blog had this at the end of last year:

    MS08-067 and the SDL
    http://blogs.msdn.com/sdl/archive/2008/10/22/ms08-067.aspx
    You may remember that the Blaster worm exploited Port 135 and the Slammer, Port 445.

    It's pretty evident that insuring that people have a firewall/router properly configured would prevent a lot of problems.

    One caveat is with those who have file sharing enabled, in which case other precautions need to be taken.

    regards,

    -rich
     
  4. Dogbiscuit

    Dogbiscuit Guest

    From DailyTech:

     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In articles that appeared last week, that quote was attributed to Tyler Reguly, Lead Security Research Engineer with nCircle.

    See:

    Protect Your PCs from Windows 7's Zero-Day Exploit
    November 12, 2009
    http://www.pcworld.com/businesscent...your_pcs_from_windows_7s_zeroday_exploit.html

    Protect Your PCs from Windows 7's Zero-Day Exploit
    November 13, 2009
    http://www.thestandard.com/news/200...Industry Standard News and Predictions (all))

    Laurent Gaffié, in his blog, wrote that IE can be a trigger for the exploit, and his code shows SMB/Port 445 launching the Denial of Service:

    Code:
    launch = SocketServer.TCPServer(('', 445),
    SMB2)# listen all interfaces port 445
    launch.serve_forever()
    
    See:

    Windows 7 / Server 2008R2 Remote Kernel Crash
    http://g-laurent.blogspot.com/2009/11/windows-7-server-2008r2-remote-kernel.html

    The IE trigger may launch the exploit internally via Netbios and the ports, but no working example has been given.

    Microsoft adds to the confusion in its Advisory:

    Microsoft Security Advisory (977544)
    http://www.microsoft.com/technet/security/advisory/977544.mspx

    Meanwhile, as long as this is a Denial of Service attack, it may not attract the interest of malware writers, who are probably more interested in exploits that can install a trojan. However, no worms using this exploit have been released, so that remains to be seen.

    Finally, an observation by Chet Wisniewski, senior security adviser at Sophos:

    First Windows 7 Exploit Appears To Evade SDL Process
    By Jennifer LeClaire November 13, 2009 10:23AM
    http://www.newsfactor.com/news/First-Windows-7-Exploit-Evades-SDL/story.xhtml?story_id=031002F6WXWX

    And so it goes...

    ----
    rich
     
  6. Dogbiscuit

    Dogbiscuit Guest

    It looks as though you may have caught a misquote on DailyTech.
     
  7. softtouch

    softtouch Registered Member

    Joined:
    Jan 31, 2006
    Posts:
    415
    Isn't it common that port 135-139 and 445 is blocked by default in routers and software firewalls? At least, it is for me...
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Misquotes happen - interviewers speak with a number of people in researching an article and get things mixed up.

    Here, the misquote is most unfortunate, since the person identified with the quote is the author of the exploit code and the one who notified Microsoft.

    The correlation with IE specifically to this vulnerability has not been thoroughly discussed nor demonstrated.

    regards,

    ----
    rich
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The problem is with those who have file/print sharing enabled, which I referred to in my first post.

    This came up during the MS08-067 RPC (remote procedure call) vulnerability, also involving ports 139, 445, which the Conficker worm later used. In a Windows Secrets Newsletter from October of last year, Susan Bradley noted:

    Rare out-of-cycle patch emphasizes the risk - MS08-067
    http://windowssecrets.com/comp/081024

    How this exploit could be triggered internally still has yet to be demonstrated, but the possibility for worm propagation exists, depending on the strength of a system's other security measures.

    regards,

    -rich
     
Loading...
Thread Status:
Not open for further replies.