Conficker, Downadup worm hype? Get the facts - Security Bytes
Home > IT Blogs > Security Bytes > Conficker, Downadup worm hype? Get the facts
« SANS Log Management Survey is looking for the ROI
Microsoft Conficker/Downadup infections still not a major threat »
» VIEW ALL POSTS Jan 21 2009   5:47PM GMT

Conficker, Downadup worm hype? Get the facts



Posted by: Robert Westervelt
Microsoft Security, Network Security, Information Security Threats, Platform Security

worm.gif

Update 1/23: Microsoft has released a blog post explaining everything you need to know about Conficker/Downadup. The bottom line: Ensure that MS08-067 is installed on all machines in the environment, use up-to-date antivirus, ensure you have strong passwords for user accounts, consider disabling AutoPlay.

——————————————————————-
Security vendors from across the spectrum have warned that a stingy worm has been successfully exploiting a hole in Microsoft Windows server service. Known as Conficker or Downadup, the worm spreads by exploiting a remote procedure call (RPC) vulnerability.

The flaw was patched by Microsoft in October. The MS08-067 update was meant to stop the worm in its tracks. Many patching vendors say organizations apparently have been slow to deploy the update.

But that may not be the case. Symantec released data explaining which countries have had the highest worm infection rates. North America does not even rank in the top 10 countries infected by the worm. It has spread in countries where software pirating is rampant. Bootlegged versions of Microsoft Windows won’t receive the latest security updates. Is it a coincidence that the highest infection rates are in China, Russia, Argentina, Taiwan and Brazil? (In that order) China and Russia have been at the top of the list of software pirating countries for years.

So first don’t panic. If you’re running antivirus and it’s up-to-date, you’re probably fine. Second, ensure that the MS08-067 update has been deployed. If it hasn’t deploy it and then do a thorough review of your patch management processes. This patch should have been deployed months ago.

In its latest round of updates, Microsoft security experts addressed the spread of the worm and how people can check to see if their machines are infected. Microsoft advises customers to scan the machine with up-to-date antivirus. The worm also blocks access to a large number of security websites listed by Microsoft.

Also, Microsoft said its Malicious Software Removal Tool completely cleans the registry elements related to the worm.

What’s all the fascination among security researchers about Conficker/Downadup? It’s not necessarily who’s infected, but how they are being infected. As Derek Brown, of TippingPoint’s DVLabs points out, the worm is an example of advanced malicious software coding. Conficker/Downadup can self-propagate by guessing a person’s weak password or it can spread by simply being passed along on someone’s portable storage device. It disables several system services and security products and then signals to its host that it is ready to download additional instructions.

AddThis Social Bookmark Button     Comment     RSS Feed     Email a friend

Comment on this Post


You must be logged-in to post a comment. Log-in/Register

Overheard - Confliker / Downadup worm alert - Overheard in the tech blogosphere  |   Jan 21 2009   10:29PM GMT

[...] Robert Westerfelt, Confliker, Downadup worm hype? Get the facts [...]


 

Extremesecurity  |   Jan 23 2009   6:35AM GMT

Did Downadup/conficker attack your network? I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.

check it out here:
 <a href="http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html" title="http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html" target="_blank">http://extremesecurity.blogspot.com/2009…</a>


 

Gis Bun  |   Jan 26 2009   4:59PM GMT

Do not know how organizations are still not patched at least up to and including November [since December was a nasty month].


 

Tony  |   Jan 26 2009   5:57PM GMT

I read a lot of web site regarding the Conflicker, however I am very disappointed by all the writers so far. Everyone is telling me how it is being spread, but none has been able to tell me what does Conflicker/Downadup do, apart from failing to update from MS and other security related web sites.

Do you think you could come up with some thing more useful?


 

Microsoft Conficker/Downadup infections still not a major threat — Security Bytes  |   Jan 27 2009   5:57PM GMT

[...] Ten million infections is a lot of computers, but I repeat what I said in an earlier post that most infections have taken place in countries where it took longer to deploy MS08-067. Places where pirated software is rampant; where machines are more likely to go unpatched. TippingPoint’s ThreatLinQ supports this. [...]


 

Conficker worm to strike April 1 - The Network Hub  |   Mar 30 2009   8:21PM GMT

[...] Computers on your network that have legal licenses of Windows and up-to-date anti-virus software (Conficker, Downadup worm hype?), won’t be subjected to the threat. Take SearchSecurity.com contributor Eric [...]


 

conficker or downadup  |   Mar 31 2009   10:24PM GMT

[...] Conficker worm (Uninstall Instructions) [6] Conficker/Downadup Worm Rapidly Spreading - TB11931 [7] Conficker, Downadup worm hype? Get the facts - Security Bytes [8] Virus Description: [...]


 

Troy Tate  |   Apr 1 2009   12:46PM GMT

Simple Conficker Scanner tool released - find the infected machines


 
Visit Information Security Home |   Information Security News  |  Information Security White Papers  |  Information Security Videos  |  Information Security Resources