Monday, January 19, 2009

Is the Downadup/Conficker worm building a new botnet?

There's a new Internet worm spreading that may be comparable to Melissa, Sasser, and Blaster in terms of the number of machines infected.

The worm, Downadup (also known as Win32.Conficker.B or simply "Conficker"), exploits a specially crafted RPC request vulnerability found in unpatched versions of the Windows Server service. Microsoft issued a rare out-of-cycle patch, MS08-67, for this flaw on Oct. 23, 2008.

However, estimates of up to nine million Downadup infections within the last week alone suggest that many systems worldwide haven't been patched. Thus the greatest danger from Downadup is to businesses that have not updated their desktops and servers on a regular basis. Home computers protected by a firewall are less at risk, although an infected laptop from work could nonetheless infect a home network. Microsoft has rated the MS08-067 patch Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

According to the SAN Internet Storm Center Downadup uses multiple vectors to infect PCs.

1) Computers without the October 2008 patch can be attacked remotely and taken over.

2) Downadup can also "brute force" or guess Administrator passwords on local networks and then spread through ADMIN$ shares.

3) Finally, Downadup can create a special autorun.inf file and include its DLL on an infected removable device, such as a USB or external hard drive.

Once executed, Downadup disables a number of system services, including Windows Security Center, Windows Defender, Windows Automatic Update, and Windows Error Reporting. Downadup then generates a list of possible domains, selects one, and then attempts to connect to a malicious server to download additional malware onto the infected computer.

Given all the secrecy just to download additional malware, I'm thinking this is a botnet-creating worm.

Although Microsoft added Downadup detection to its January 2009 Malicious Software Removal Tool (MSRT), an anti-malware utility distributed to Windows machines via the Windows Update process, experts recommend that users apply the MS08-068 patch from last October if you haven't already done so. Additionally, users may also want to disable Autorun so that an infected USB drive or removable media device won't infect your PC, however, disabling Autorun in Windows involves editing the System Registry and should only be done by experienced personnel.

No comments:

Post a Comment