Update
TrendLabs has discovered a new Conficker variant (detected as WORM_DOWNAD.E). It appears that this may be the activity that was supposed to happen on April 1st. This new variant only affects those PCs that have been previously infected with WORM_DOWNAD.KK. If your customers' Trend Micro products have been patched and they are running the latest engines and pattern files, they are protected from this variant.
To make sure your system is protected, make sure that you have installed all of the security patches for Microsoft Windows operating systems, particularly Patch MS08067. Make sure your system is configured to receive security updates and patches from Microsoft as well as other 3rd party vendors automatically.
Make sure your security software such as Trend Micro, Symantec, or McAfee is up to date.
Make sure you disable the “Drive Auto-run” feature to avoid infections from USB drives.
You should employ secure passwords using a combination of letters, numbers and symbols and frequently change them.
Make sure to take caution when searching online for DOWNAD and Conficker information. There are reports of rogue antivirus packages that are taking advantage of the situation. They will tell you that you are infected and ask you to pay money to download their application, which in many cases turns out to be malware.
Monday, April 13, 2009
Wednesday, April 1, 2009
What is the Conficker Worm
Many of you may have heard a lot on the news or from a friend about the Conficker Worm that is suppose to make contact with its creator sometime today April 1st AKA April fools day. This is not a new Work at all. It has been around for awhile now. I thought it would be good to post some info about the worm as well as some technical background to help better understand it and what it does. A post by Trend Micro, one of the big manufactures of Anti Virus and Anti Spyware protection software products out on the market, does a great job explaining the worm, so I have posted it here for you reference. Please read below.
Background
The first samples for the Conficker/Kido/DownadUp (detected by Trend Micro as WORM_DOWNAD.A) were discovered in November 2008 with new samples (detected as WORM_DOWNAD.AD and WORM_DOWNAD.KK) arriving in early 2009. DOWNAD exploits a vulnerability in Windows that Microsoft patched (MS08-067) in October.
DOWNAD.AD added the ability to spread through network shares and removable storage devices (e.g. USB drives) using the AutoRun function in Windows.
DOWNAD.KK shuts down security services, blocks infected computers from connecting to security websites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer communications services, and includes an algorithm to update infected PCs.
What's the goal of this worm?
It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.
What's happening on April 1st?
On April 1st, 2009, the latest variant (WORM_DOWNAD.KK) will begin to modify the way in which it communicates with other infected botnet nodes (PCs, servers), and will also increase the number of machines it attempts to contact in order to infect them. There is no evidence that the worm will do anything beyond modifying its communications methods.
Background
The first samples for the Conficker/Kido/DownadUp (detected by Trend Micro as WORM_DOWNAD.A) were discovered in November 2008 with new samples (detected as WORM_DOWNAD.AD and WORM_DOWNAD.KK) arriving in early 2009. DOWNAD exploits a vulnerability in Windows that Microsoft patched (MS08-067) in October.
DOWNAD.AD added the ability to spread through network shares and removable storage devices (e.g. USB drives) using the AutoRun function in Windows.
DOWNAD.KK shuts down security services, blocks infected computers from connecting to security websites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer communications services, and includes an algorithm to update infected PCs.
What's the goal of this worm?
It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.
What's happening on April 1st?
On April 1st, 2009, the latest variant (WORM_DOWNAD.KK) will begin to modify the way in which it communicates with other infected botnet nodes (PCs, servers), and will also increase the number of machines it attempts to contact in order to infect them. There is no evidence that the worm will do anything beyond modifying its communications methods.
Subscribe to:
Posts (Atom)
