Conflicker Worm - More Potent MS08-067 attacks to unpatched systems

Posted Saturday, November 29, 2008 1:13 PM by hwaldron

Lightning MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008.  The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.  

While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes.  For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet.  If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.

This new worm represents the most advanced MS08-067 attacks to date.  As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update. 

New malware using an ms08-067 exploit gained momentum
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://isc.sans.org/diary.html?storyid=5401

QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

W32/Conficker.worm Detailed Information
http://vil.nai.com/vil/content/v_153464.htm
http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=P
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A

Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/blog/DOWNAD123.jpg


Time PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases.  Home users can employ the Windows Update process.  More information can be found in the link below:

MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Comments

No Comments