Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 19 Jan 2009 7:31 pm |
|
Many of you may have already heard or read about a new Windows Worm that is infecting millions of networked computers in two short weeks. Dubbed the Conficker or Downadup Worm it exploits a vulnerability in Windows that was patched on October 23, 2008, in an out-of-band patch.
The Worm spreads over the wires, so to speak, but can also be acquired by hostile downloads that are triggered automatically by vulnerable (unpatched) Windows computers. It attacks the components of the Server Service, over a wide range of ports and injects itself into services.exe, explorer.exe and svchost.exe.
Who is at risk?
Windows computer users, with file and printer sharing enabled, running with Computer Administrator permissions, as well as Domain administrators, who allow weak passwords on their networks. Also, networked computers running as Limited User accounts can be attacked if the Worm guesses your Administrator password for that computer.
The Worm uses a dictionary attack to try to crack logins to gain admin control over any Windows Workstation or Server it locates on a network that it infiltrates. It spreads to any unpatched machine that it can log into. It also spreads to all attached writable drives, including thumbdrives. Conflicker installs a file that causes the Worm to infect any computer that attempts to view an infected network share, or mapped drive.
How do I prevent infection by the Conficker Worm?
Right now the only good defense against acquiring this threat is to install Microsoft patch MS08-067, which can be done via Windows Updates, Microsoft Updates, Windows Server Update Service, or through the Microsoft Downloads Center. Links to all of these are available on the aforementioned Technet page. You can also find temporary workarounds there that disable the Server and Computer Browser Services, among others (crippling your computer). That patch fixes the vulnerability currently be exploited in the Server Service.
What can I do to fend off TCP Worm attacks?
Install a good firewall on your PCs and make sure that your hardware firewall, in your router, does not have any open ports (like for file sharing over the 'net)
How do I remove Conflicker?
<strike>Before you can remove Conflicker you will probably need to rename your HOSTS file. Add an extension to it, like .txt, then reboot. The Worm makes numerous entries to your HOSTS file that redirect requests to Microsoft and most security websites back to the local machine address of 127.0.0.1. Renaming HOSTS removes these hostile redirects and allows you to obtain security updates or new malware removal products.</strike> Incorrect. The redirects are done via kernel level DNS intercepts and cannot be dealt with so easily as renaming HOSTS. The machine must be disinfected from arms length, with outside resources, or a Linux bootable CD or BART PE CD.
You must use another uninfected computer to download Worm removal tools now available, copy them to either a CD or USB stick, render the thumbdrive read only, then transfer it to the infected machine and run the removal tools. These tools are available from Symantec, Trend Micro, Sophos, Panda and other security vendors.
Once you are able to run Windows Updates and install MS08-067, you should also download, install and run the current Malicious Software Removal Tool (MSRT), which has been updated to detect and remove Conflicker/Downadup. Also scan with whatever anti malware programs you can update and will run (the Worm tries to disable some security apps). Reboot into safe mode and scan/disinfect again.
This Worm resets System Restore, wiping out all of your previous Restore Points, so turn it off during the disinfection process. Once you have cleaned out all traces of any infections you should turn it back on and set a fresh Restore Point.
I will post more details about the purpose of this Worm as I get them (probably building a new Botnet). You can Google the word "Conficker" to learn more.
Note, that this critical vulnerability was announced as wormable and was patched in late October 2008 by Microsoft, in an out-of-cycle patch. Only computers with Automatic Updates turned off, or PCs that have not been turned on since October 22, 2008, would not receive the patch. Any Windows computer that is not already patched is vulnerable and probably will be attacked and Pwnd at some point. There is no excuse for not applying MS08-067!
I first posted an alert about this vulnerability and the patch on October 23, 2008, in this article.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
