Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS08-067 Worm Dangers - New Conficker variants manipulate AUTORUN.INF


  • Please log in to reply
27 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:29 PM

Posted 15 January 2009 - 10:58 AM

The latest variants of Conficker has spread to over 3 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems. The MS08-067 patch must be applied to help prevent infections.

How Big is Downadup? Very Big.
http://www.f-secure.com/weblog/archives/00001580.html
http://www.f-secure.com/weblog/archives/00001579.html

QUOTE: Today's total infection count is an estimated 3,521,230 infections worldwide

Conficker's autorun and social engineering
http://isc.sans.org/diary.html?storyid=5695

Very Deceptive AUTORUN.INF tactics are used
http://www.f-secure.com/weblog/archives/00001575.html

QUOTE: F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything). One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:

1.It exploits the MS08-067 vulnerability,
2.It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3.It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

More on MS08-067 Worm developments
http://www.f-secure.com/weblog/archives/00001576.html

Techniques for disabling AUTORUN for USB plug-in devices
http://technet.microsoft.com/en-us/magazin...uritywatch.aspx
http://support.microsoft.com/kb/953252
http://nick.brown.free.fr/blog/2007/10/mem...tick-worms.html

MS08-067 Conficker worm - F-Secure offers free removal tools
ftp://ftp.f-secure.com/anti-virus/tools/beta/fsmrt.zip
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases. Home users can employ the Windows Update process. More information can be found in the link below:

MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/...n/MS08-067.mspx

BC AdBot (Login to Remove)

 


#2 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 15 January 2009 - 11:32 AM

I dont have this update yet? Is this because im using Vista and Vista isn't affected by this?

#3 zep516

zep516

  • Security Colleague
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pittsburgh, Pa
  • Local time:01:29 PM

Posted 15 January 2009 - 01:01 PM

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008.

#4 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 16 January 2009 - 11:33 AM

I never got this update on Vista.

#5 IrishGuy74

IrishGuy74

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ireland
  • Local time:06:29 PM

Posted 17 January 2009 - 10:21 AM

A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users.

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.

Although Microsoft released a patch, it has gone on to infect 3.5m machines.

Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.


Right now, we're seeing hundreds of thousands of [infected]unique IP addresses
Toni Koivunen, F-Secure

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

INFECTED IPs WORLDWIDE
China 38,277
Brazil 34,814
Russia 24,526
India 16,497
Ukraine 14,767
Italy 13,115
Argentina 11,675
Korea 11,117
Romania 8,861
United States 3,958
United Kingdom 1,789
Source: F-Secure

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

Speaking to the BBC, Kaspersky Lab's security analyst, Eddy Willems, said that a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

"Of course, the real problem is that people haven't patched their software. If people do patch their software, they should have little to worry about," he added.

Technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected.

"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," F-Secure's Toni Kovunen said in a statement.

"We can see them, but we can't disinfect them - that would be seen as unauthorised use."

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
http://news.bbc.co.uk/2/hi/technology/7832652.stm
__________________

#6 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 18 January 2009 - 04:04 PM

Can someone link me to this patch for vista?

Cheers,
Samuel3.

#7 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,561 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:11:29 AM

Posted 18 January 2009 - 08:17 PM

Can someone link me to this patch for vista?

Cheers,
Samuel3.


MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/...n/MS08-067.mspx


It was the last link in the very first post. :thumbsup:

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#8 DSTM

DSTM

    "Bleepin' Aussie Addict"


  • Members
  • 2,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SYDNEY-AUSTRALIA
  • Local time:04:29 AM

Posted 19 January 2009 - 01:32 AM

Latest reports say, as many as 8 Million Computers, are now infected.
This is serious.
http://edition.cnn.com/2009/TECH/ptech/01/...adup/index.html















#9 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 19 January 2009 - 11:58 AM

Can someone link me to this patch for vista?

Cheers,
Samuel3.


MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/...n/MS08-067.mspx


It was the last link in the very first post. :thumbsup:



Why didnt i get this update? I have AutoMatic updates on.

I also dont see this update for Vista 32 bit system Service pack 1, Why is this?

Edited by samuel3, 19 January 2009 - 12:03 PM.


#10 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:29 PM

Posted 19 January 2009 - 07:20 PM

What's the XP SP2 update's KB number?

Edited by Lloyd T, 19 January 2009 - 07:20 PM.


#11 Zoidyn

Zoidyn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:29 AM

Posted 19 January 2009 - 11:09 PM

KB Article 958644 (http://support.microsoft.com/kb/958644)

#12 harrywaldron

harrywaldron

    Security Reporter

  • Topic Starter

  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:02:29 PM

Posted 20 January 2009 - 06:37 AM

Hi - Please also note that on INFECTED systems, the worm has the capability to block Windows Updates ... Also, the update came out over 80 days ago and if you use autoupdate you're most likely protected.

HOW TO CHECK: Trying another Windows Update can help. Also I truly like the free Secunia PSI tool in checking both MS and other updates to ensure you're current

Microsoft - Windows Update Web Site

Secunia PSI - Can check your system for missing updates



#13 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:29 PM

Posted 20 January 2009 - 11:14 AM

This update for me was on 11th of november 2008.

It was about 40-50 days ago it came out? Mine has always been on Automatic Updates.

#14 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:02:29 PM

Posted 20 January 2009 - 04:03 PM

KB958644 was installed on November 28, 2008 in my computer.

#15 tork

tork

  • Members
  • 718 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:here
  • Local time:02:29 PM

Posted 22 January 2009 - 11:38 AM

harrywaldron

thank you :thumbsup:

tork




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users