The Conficker threat grows

downadup

The conficker threat is growing day by day .The latest variants of Conficker has spread to over 9 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems.This dangerous worm has also been named as Downadup , WORM_DOWNAD.A and even Net-Worm.Win32.Kido.l

The worm initially spread to systems unpatched against MS08-067, but has since evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.The malware first tries to use the credential of the logged-on user. If that fails, it attempts to obtain a list of user accounts on the target machine and then tries to connect using each user name and to a list of weak passwords, such as “1234” or “password.” The first variant of the Conficker worm appeared in November 2008.Security researchers began to see the second variation of the malware in late December 2008.

Many experts have compared the Conficker attack to Nimda, another bug that hit corporations in 2001, which spread quickly as well. Others have speculated the bug may be the beginning stages of a new botnet.

Downadup contains a number of features designed to make it harder for security pros to shut down.The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

Some of the activities is takes up once in your system :

  • Connects to external sites to download additional files.
  • Deletes the user’s Restore Points.
  • Registers a services called Netsvcs.
  • Creates it’s own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
  • Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.

Few reasons why conficker is spreading rapidly :

  • It infects removable devices and network shares  by creating a special autorun.inf file  and dropping its own DLL on the device.
  • It exploits the MS08-067 vulnerability,
  • It brute forces Administrator passwords  on local networks and spreads through ADMIN$ shares .


The major  strength of Conficker is USB sticks.Downadup creates its own Autorun.inf file and transports itself to all systems where it is inserted . I would suggest that you disable AutoPlay in your environments, unless it’s really necessary.


INFECTED IPs WORLDWIDE (Source: F-Secure)

  • China 38,277
  • Brazil 34,814
  • Russia 24,526
  • India 16,497
  • Ukraine 14,767
  • Italy 13,115
  • Argentina 11,675
  • Korea 11,117
  • Romania 8,861
  • United States 3,958
  • United Kingdom 1,789

Once interesting fact related to this worm is that, Microsoft blog noted that the variant avoids infecting computers that use Ukrainian keyboard layout, raising suspicions that the malware authors are located in the Ukraine. So the conficker worm is expected to have orginated from Ukraine .

Additional Readings :

Related post

Advertisements

4 comments on “The Conficker threat grows

  1. It would be much easier for you if you replaced your Windows opearting system with a Free, simple, slim, frequently updated and maintained on a daily basis Linux system like Ubuntu Intrepid Ibex

  2. Not only can this virus disrupt your PC, since it can disable your ability to connect to software update sites it leaves you vulnerable to even more malware. You need to disable AutoPlay as well as patch your PC. See: http://www.downadup.com

  3. Pingback: Microsoft serious on “Downadup” issue « Openbook

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s