Microsoft has announced a $250,000 reward for the arrest and conviction of the authors of the Conficker worm, also known as Downadup.
Apparently Microsoft feels that not enough is being done by Windows administrators to stop the infestation and propagation of this worm. F-Secure, an anti-virus software vendor, reported in January of this year that almost 9 million PCs had been infected. The worm was released in the fall of 2008.
The worm exploits a buffer overflow in the Windows Server Service. By doing so it attacks the Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting services. Afterwards it connects to an external server where it receives instructions to further propagate. While connected to the external server it downloads more malware that affects other Windows processes including svchost.exe, explorer.exe and services.exe.
Microsoft released a patch (MS08-067) in the fall of 2008 to fix the vulnerability. Microsoft, Symantec and Kaspersky Labs also have patches to repair systems. McAfee offers an on demand scan to remove the worm. The virus can spread via any drive that uses autorun including USB drives. Many vendors are recommending disabling the AutoRun feature for external media through modifying the Windows Registry. Note that if you are using anything earlier than Windows XP Service Pack 2 or Windows 2000 SP4 a patch is not available. Sorry.
Linux and Mac computers are not affected by this worm. It is designed to exploit only computers running the Windows operating system.
Now that we have the background two questions come to mind. Why are the adminstrators not repairing these systems and, an even bigger question, how in the world are these infected machines able to provide the network services that they have been set up to perform?
I think that I’ll stick with my Linux and Solaris machines where the chances of something like this happening are slim. And if it does the patches generally aren’t limited to a certain version of the operating system especially if you are using enterprise grade software such as Red Hat, CentOS, Ubuntu, SuSE or Solaris. These companies all offer 5 to 7 years of security patches on their enterprise versions.