A worm dubbed Win32/Conficker.A is making the rounds of Windows machines, exploiting a security hole that Microsoft released a patch for in October, the software maker said on Wednesday.
The number of attacks have increased over the past couple of days, exploiting a critical vulnerability that was addressed by security update MS08-067.
The malware has mostly been spreading inside corporations, but has also hit several hundred home PCs, Microsoft said in a posting on the Microsoft Malware Protection Center blog.
"It opens a random port between port 1024 and 10000, and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .jpg extension when copied over and then it is saved to the local system folder as a random named dll," the posting states.
"It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too," Microsoft said.
Most of the infections are in US PCs, but there have also been reports from Germany, Spain, France, Italy, Taiwan, Japan, Brazil, Turkey, China, Mexico, Canada, Argentina and Chile. The worm avoids infecting Ukrainian computers for some reason, Microsoft said.
Several bots, under the generic name Backdoor:Win32/IRCbot.BH, also are exploiting the security hole. They drop a backdoor Trojan that connects to an IRC server to receive commands.
Talkback
Network discovery solutions shed light into the risk areas that are often not visible within the network environment. With new found visibility into the organisation’s environment, IT can discover all assets within the network and uncover undetected or unknown vulnerabilities. Sometimes, discovered assets are silent
or hidden systems within a network, providing access to potential threats. By performing comprehensive discovery, organisations receive a flexible approach to understanding and assessing what IT assets are connected to the network as well as discovering all rogue machines, including; IP address range, Active Directory, OUs, network enumeration, host name, and file port import.
Doing so not only solidifies security, it also has the potential to streamline operational TCO. Not only can these assets be a source of vulnerabilities, but they are also potentially underutilized resources. By adopting automated discovery, organisations can gain a complete view of all IT assets residing on the network.
Effectively identifying and remediating vulnerabilities before they attack a network environment is a great way to reduce IT TCO.
Within a vulnerability assessment process, the best way to guarantee vulnerabilities are identified, is by defining the system configurations within the assessment. Since over 65% of vulnerabilities are due to misconfigurations, i.e. configuration errors and lapses by IT administration, these can be immediately identified and remediated.