“Successful” Worms Still Interrupt

“Conficker” or “Downadup,” the latest major computer worm, is reported to now have infected as many as 10 million computers worldwide.  Attacked systems may slow enterprise Microsoft Active Directory Domain infrastructure, lock out users, disable security product update services, and block access to security-related web sites.  Two major attack or replication vectors are network shares and USB storage devices.  Ineffective  malicious software resistance can cost your business pleanty in lost productivity and clean-up effort and expenses.  This resistance requires careful MS Windows configuration settings, thorough and timely patching of all MS Windows software, security-conscious application development, and up-to-date anti-virus suite(s).

Microsoft Malware Protection Center describes Win32/Conficker as “a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.”

“Conficker” or “Downadup” is also known by other names:

  • Worm:Win32/Conficker.A (Microsoft)
  • Worm:Win32/Conficker.B (Microsoft)
  • Trojan:Win32/Conficker!corrupt (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
  • W32.Downadup (Symantec)
  • W32.Downadup.B (Symantec)
  • W32.Downadup (Symantec)
  • WORM_DOWNAD.A (Trend Micro)
  • Win32/Conficker.A (CA)
  • W32/Conficker.worm (McAfee)
  • TA08-297A (other)
  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Confickr (other)

Microsoft has released a version of the Malicious Software Removal tool (MSRT) that can help remove variants of Win32/Conficker, as have other anti-virus vendors.

f-secure: http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99

—————- Update —————

“Conficker Remains an Issue.”  29 March 2009

A couple months ago we were still all writing about Conficker.  It seems like it just will not die.
It is now so everpresent that it was in the business section of the Des Moines Register (“Troublesome Internet work set to change tactics.” page 9B).
Then tonight it was the headliner on “60 Minutes.” (“The Conficker Worm: What Happens Next?” http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml)
Antivirus, corporate anti-malware web proxies, and personal firewalls cost us all a fortune to purchase and manage.

I will be asking my Symantec representative about readiness and execution today, as well as their strategy for not getting in this position again…
Their piece on “60 Minutes” was heavy on technology glitz and soft talk about how difficult the problem is — but how well protected users could be.

I am curious, are you doing anything new to deal with Conficker?

— References —

“Computer worm called ‘real threat.’By Karen Middleton, The News-Courier: http://www.enewscourier.com/local/local_story_024202508.html

f-secure “Where is Downadup?” http://www.f-secure.com/weblog/archives/00001589.html

Microsoft Malware Protection Center : http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

Current Microsoft Malicious Software Removal Tool: http://www.microsoft.com/security/malwareremove/default.mspx and a related blog entry: http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx

— Added 03/29/2009 —


60 Minutes: http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: