Conficker malware ups the ante
Roger A. Grimes explains why keeping up to date with patches can mean the difference between a functional system and a playground for hackers
Follow @rogeragrimesI'm finding many Windows servers without the MS08-067 patch and no specific mitigations applied. There hasn't been a very large malware outbreak (a la Code Red, SQL Slammer, etc.) in a few years, and perhaps this could be leading to a false sense of security.
If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses. Microsoft released the patch on Oct. 23, 2008, nearly two months ago. To remain unpatched at this point and time doesn't seem to be a great idea, but there are still plenty of vulnerable servers out there.
How the Conficker worm still wreaks havoc
The Conficker worm's main exploit vector is by buffer overflowing unpatched versions of Windows Server services, which is represented by the Workstation and Server services, and svchost.exe processes. Initial exploitation normally occurs remotely over NetBIOS/SMB ports 139 or 445 using a malformed RPC request. It can be accomplished with an unauthenticated connection in Windows XP Pro and Windows Server 2003, but requires an authenticated connection in Windows Vista and Windows Server 2008.
[ Take a slideshow tour of InfoWorld's 2009 Technology of the Year Award winners in Applications, Middleware, and Data Management | Application Development | Platforms and Virtualization | Systems and Storage | Networking and Security ]
Once a system is infected, Conficker takes a variety of actions, including exploiting several routes that have nothing to do with the Server services. It disables common anti-malware programs and uses DNS modifications to prevent local end-users from surfing to anti-malware-related Web sites (which might be one of the first clues that you're infected). It spreads to mapped file shares and identified removal drives. Once there, it creates a subdirectory folder called Recycler (emulating the Recycle Bin) and places an Autorun.inf file, which may be auto-launched when visited.
