http://www.sqlservercentral.com/blogs/brian_kelley/2009/01/20/conficker-downadup-worm-one-more-time/

Printed 2014/04/16 05:45PM

Conficker / Downadup Worm One More Time

2009/01/20

Hopefully by now everyone has seen this, but if not, here's a reminder to continue to spread the details. Denis Gobo made a post earlier today and Security MVP Randy Franklin Smith sent out a newsletter after being prompted by his MVP lead.

The worm is known as Conficker or Downadup and here are the details from Microsoft. It attacks a vulnerability that was patched in MS08-067 (released in October) by attacking the Windows Server service, which, by default, all Windows machines have running (even if you're running a workstation... that's how you can have file shares and share out your printer). One of the nasty sets of things it does is disable automatic updates as well as AV / Malware protection that would try and stop it. It will also potentially block certain security sites (like where AV downloads from) based on a string search (more information in the details link).

 In addition, it will flood the network and launch password hack attempts against user accounts, resulting in locked user accounts if there is any account lockout policy in place (and there should be). I've already had one friend whose network got hit by this and it was a hard clean-up of their environment as a result. Therefore the best way to stop this thing is to patch. After all, that patch was released in October. That was over 3 months ago now.

One last attack vector, and that's via removable drives. That's why I blogged about disabling autoplay. Not only does it stop those annoying splash screens when you insert a CD or DVD or the dialog window asking what to do when you insert the USB drive, it also ensures that by inserting a removable drive you don't get a social engineering based attack in that dialog window.

 


Copyright © 2002-2014 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.