Napera

Microsoft indicated how seriously they take Conficker / Downadup this morning by offering a $250,000 bounty for the conviction of the miscreants who wrote the malware. They are also working with computer security specialists and the Internet Corporation for Assigned Names and Numbers (ICANN) to track down whoever unleashed Conficker. The group includes Symantec, F-Secure, VeriSign, Afilias, Internet Systems Consortium (ISC), and the Shadowserver Foundation.

All Microsoft resources on fighting Conficker / Downadup have been centralized at http://microsoft.com/conficker. We’ve updated our blog post on Conficker  / Downadup solutions and removal to include this new URL.

Read the full article…

As Conficker / Downadup passes 12 million victims, it has taken out another high profile victim, according to the Houston Chronicle.

Houston shut down part of its municipal court operations Friday, cancelling hearings and suspending arrests for minor offenses after a computer virus infected hundreds of its machines. City officials said they expected the problems to extend at least through Monday. [...] By Friday afternoon, officials said the virus appeared to be contained to 475 of the city’s more than 16,000 computers. But the problems it caused grew so severe that city officials made an emergency purchase order for up to $25,000 to bring in Gray Hat Research, a technology security company that began trying to eradicate it through the early morning hours Friday.

Microsoft also published some additional guidance on dealing with Conficker / Downadup. We’ve updated our blog post on Conficker  / Downadup solutions and removal to include this new info.

Read the full article…

Conficker / Downadup continues to spread, garnering coverage in the mainstream press as the biggest worm epidemic of recent years. Several organizations have issued bulletins on the topic or updated software, summarized below. We’ve also updated our blog post on Conficker  / Downadup solutions and removal to include new info.

Read the full article…

Conficker aka Downadup has returned to the headlines this week. Network World reported on a ‘huge increase’ in worm attacks plaguing unpatched PC’s, noting the biggest issue is replication over the network. F-Secure estimated 3.5 million infected networks worldwide, a jump of over a million victims in 24 hours, a large part of which is coming from corporate networks. Panda Security has already compared Conficker to the infamous Melissa and ILOVEYOU worms. Our blog post on solutions for removing Conficker / Downadup and using the Napera N24 to prevent more outbreaks has had more than a thousand visitors already.

Read the full article…

Since I started posting about the MS08-067 patch and Conficker aka Downadup late last year, traffic to our blog on this topic has been steadily building, and it hit a new high last Friday with over a thousand visitors looking for help. On the same day, a friend told me over coffee that Downadup had been plaguing his company network for weeks and asked for suggestions.

That prompted me to post some tips on how you can stop the spread of Conficker / Downadup.B today and how the Napera N24 can help you clean up your network and prevent future malware outbreaks. If you have additional suggestions, please feel free to add a comment below.

Read the full article…

The Internet Storm Center has just reported on a variant of Conficker, called W32.Downadup.B, disclosed by Symantec that is spreading in the wild. The original Conficker (aka WORM_DOWNAD.A and Net-Worm.Win32.Kido.l) spread to over half a million hosts during November, using the Windows RPC exploit, which became widely known on October 23rd. The primary driver was simple – users were slow to apply Microsoft’s MS08-067 patch in October, ignoring the critical nature of the update and only reacting weeks later when Symantec and Trend Micro published news of Conficker spreading in the wild. According to a Qualys analysis, 70% of Windows machines they scanned in December remained unpatched six weeks later.

Read the full article…

For most malware authors, deriving profit from cybercrime is a simple numbers game. The more machines infected with malware that join a botnet, steal data via keyloggers or send spam, the more profitable the operation.

As a result, malware authors are always looking for new vectors for infecting victims. Although today’s vector of choice remains web browser exploits via compromised sites, this is self-limiting in the sense that the pool of people willing or able to visit a compromised site is somewhat small. When you consider that many malware infected machines are located in a network with other machines close by, compromising the local network is another way to quickly spread the infection. This behavior isn’t new – it goes back to the Morris Worm in 1988 and continued with Code Red and others in more recent times. New malware we’ve seen in 2008 such as Conficker, Gimmiv and Agent.BTZ looks for local hosts or network shares that can be compromised.

One of the original drivers behind network access control was the driving need to stop the spread of this type of network aware worm. The recent malware Trojan.Flush.M is an example that expands upon the network based attacks seen with a trojan like Conficker or Gimmiv to potentially compromise an entire network. Trojan.Flush.M does this by using a rogue DHCP server as a mechanism to change local domain name settings in a new spin on what is traditionally known as a pharming attack.

Read the full article…

2008 has been a malware roller coaster ride, and as the end of the year approaches, the bad guys appear to be picking up speed. Microsoft released six critical patches this morning, fixing remote code execution flaws in Windows, Word, Excel, Internet Explorer and Visual Basic. No news yet of exploits in the wild but they usually aren’t far behind.

These latest fixes come on the heels of a New York Times article which claims malicious software is spreading faster than ever and that the industry cannot get ahead of the onslaught, and many folks are saying we are losing the war.

Read the full article…

As a followup to my post on the Conficker worm in the wild, Trend Micro reported on Sunday that they have now seen over 500,000 infected hosts with this malware (which Trend call WORM_DOWNAD.A and is also known as Net-Worm.Win32.Kido.l). That’s a pretty incredible growth trajectory for the Windows RPC exploit which only became widely known on October 23rd. At this rate we could be seeing the birth of a rival to established botnets like Storm.

Read the full article…