Napera

Microsoft indicated how seriously they take Conficker / Downadup this morning by offering a $250,000 bounty for the conviction of the miscreants who wrote the malware. They are also working with computer security specialists and the Internet Corporation for Assigned Names and Numbers (ICANN) to track down whoever unleashed Conficker. The group includes Symantec, F-Secure, VeriSign, Afilias, Internet Systems Consortium (ISC), and the Shadowserver Foundation.

All Microsoft resources on fighting Conficker / Downadup have been centralized at http://microsoft.com/conficker. We’ve updated our blog post on Conficker  / Downadup solutions and removal to include this new URL.

Read the full article…

As Conficker / Downadup passes 12 million victims, it has taken out another high profile victim, according to the Houston Chronicle.

Houston shut down part of its municipal court operations Friday, cancelling hearings and suspending arrests for minor offenses after a computer virus infected hundreds of its machines. City officials said they expected the problems to extend at least through Monday. [...] By Friday afternoon, officials said the virus appeared to be contained to 475 of the city’s more than 16,000 computers. But the problems it caused grew so severe that city officials made an emergency purchase order for up to $25,000 to bring in Gray Hat Research, a technology security company that began trying to eradicate it through the early morning hours Friday.

Microsoft also published some additional guidance on dealing with Conficker / Downadup. We’ve updated our blog post on Conficker  / Downadup solutions and removal to include this new info.

Read the full article…

Conficker / Downadup continues to spread, garnering coverage in the mainstream press as the biggest worm epidemic of recent years. Several organizations have issued bulletins on the topic or updated software, summarized below. We’ve also updated our blog post on Conficker  / Downadup solutions and removal to include new info.

Read the full article…

Conficker aka Downadup has returned to the headlines this week. Network World reported on a ‘huge increase’ in worm attacks plaguing unpatched PC’s, noting the biggest issue is replication over the network. F-Secure estimated 3.5 million infected networks worldwide, a jump of over a million victims in 24 hours, a large part of which is coming from corporate networks. Panda Security has already compared Conficker to the infamous Melissa and ILOVEYOU worms. Our blog post on solutions for removing Conficker / Downadup and using the Napera N24 to prevent more outbreaks has had more than a thousand visitors already.

Read the full article…

Since I started posting about the MS08-067 patch and Conficker aka Downadup late last year, traffic to our blog on this topic has been steadily building, and it hit a new high last Friday with over a thousand visitors looking for help. On the same day, a friend told me over coffee that Downadup had been plaguing his company network for weeks and asked for suggestions.

That prompted me to post some tips on how you can stop the spread of Conficker / Downadup.B today and how the Napera N24 can help you clean up your network and prevent future malware outbreaks. If you have additional suggestions, please feel free to add a comment below.

Read the full article…

The Internet Storm Center has just reported on a variant of Conficker, called W32.Downadup.B, disclosed by Symantec that is spreading in the wild. The original Conficker (aka WORM_DOWNAD.A and Net-Worm.Win32.Kido.l) spread to over half a million hosts during November, using the Windows RPC exploit, which became widely known on October 23rd. The primary driver was simple – users were slow to apply Microsoft’s MS08-067 patch in October, ignoring the critical nature of the update and only reacting weeks later when Symantec and Trend Micro published news of Conficker spreading in the wild. According to a Qualys analysis, 70% of Windows machines they scanned in December remained unpatched six weeks later.

Read the full article…

As a followup to my post on the Conficker worm in the wild, Trend Micro reported on Sunday that they have now seen over 500,000 infected hosts with this malware (which Trend call WORM_DOWNAD.A and is also known as Net-Worm.Win32.Kido.l). That’s a pretty incredible growth trajectory for the Windows RPC exploit which only became widely known on October 23rd. At this rate we could be seeing the birth of a rival to established botnets like Storm.

Read the full article…

Interesting post this morning from Dancho Danchev over on the ZDNet Zero Day blog. As I posted last month, in late October, Microsoft rushed out a security patch to fix MS08-067, which revealed a previously unknown way to inject code into remote Windows systems due to a flaw in the RPC server. Within hours of the Microsoft bulletin, news of a trojan called Gimmiv.A exploiting this flaw in the wild arrived, and I predicted at the time that more would be on the way. Now the pace has picked up dramatically with a new Conficker worm using this exploit to infect other machines across the network, as well as a bot called Backdoor:Win32/IRCbot.BH.

From Microsoft’s Security Response Center:
Read the full article…

As Jeff and I were talking about the evolution of security beyond the firewall in our webinar yesterday, along comes an out of cycle critical patch from Microsoft that proved our point nicely. Security bulletin MS08-067 reveals a previously unknown way to inject code into remote Windows systems due to a flaw in the RPC server. Within hours of the Microsoft bulletin, news of a trojan exploiting this flaw in the wild arrived.

This ranks as one of the most serious Windows flaws disclosed recently and affects almost every flavor of Windows. The Microsoft patch is rated critical for eleven variations of Windows XP, Windows 2000 and 2003. For Vista and Windows Server 2008, it was considered only ‘important’ due to the improved ability of those operating systems to defeat remote code execution attacks. What makes this particular issue even more insidious is that the RPC server can be exposed to attack when a desktop firewall is running, simply by turning on file or printer sharing.

A network vulnerability like this lends itself to worms like Zotob which wreaked havoc a few years ago and took down several networks. I speculated this morning that exploits would be stealthier this time around and aimed at monetizing security breaches. Sure enough, the Gimmiv.A trojan reported yesterday is a network aware trojan that attempts to exploit this flaw against PC’s on the local network. If it succeeds, it quietly steals passwords from the Windows and Outlook password cache and posts them to a Web site.

Traveling back to Seattle yesterday, I used the free Wi-Fi at San Jose airport. This morning when I came into the office, my laptop hadn’t received the Windows update and the Napera N24 immediately notified me. I was given a one hour deadline in which to install, which I promptly did.

That led me to wonder what the situation would be like if our network was unprotected. If I had neglected to install this Windows update and went traveling again tomorrow, it is likely my laptop would be exposed to this trojan. If I was running XP and had file or printer sharing enabled, the laptop is likely to be compromised. On an unprotected network, I could have easily waltzed past the corporate firewall, plugged in my compromised laptop and started infecting other PC’s.

Microsoft’s quick response is admirable, but the question IT managers need to ask themselves today is simple. How confident are you that users walking into your office today have installed this patch before they connect? Plenty of industry studies show that at least half of corporate PC’s won’t update in a timely fashion. Given that at least one exploit is already in the wild, and more are undoubtedly on the way, that’s a universe of opportunity for the bad guys in the coming weeks.