Microsoft server worm can spread via USB
Summary
Topics
The worm, which F-Secure calls Downadup, attacks the vulnerability outlined in MS08-067, a Windows Server service flaw that was patched in October.
The worm launches a dictionary attack to attempt to crack user passwords, and uses server-side polymorphism and modification to the Access Control Lists (ACL) "to make network disinfection particularly difficult", F-Secure said in a blog post on Tuesday.
However, F-Secure said it has discovered the worm also propagates on the client side, via USB. If a person plugs a USB stick into an infected computer, the malware creates an autorun.inf file on the root of the USB drive.
The .inf file then uses either autorun or autoplay to infect any unpatched systems either when the stick is plugged into the system, or when the user double-clicks on the USB icon in My Computer in Windows Explorer.
The USB worm uses a steganographic technique to hide the autorun file in "binary garbage" to make detection more difficult, said F-Secure's chief research officer Mikko Hyppönen in a blog post on Wednesday.
The US Computer Emergency Response Team has urged IT professionals to apply the patch linked to in MS08-067.
ZDNet UK reader gareth25, who describes himself as an IT consultant from Manchester, said he has had to deal with systems infected by this worm. "I have first hand experience with this worm," wrote gareth25 in a response to a ZDNet UK story. "The connections it made outbound crashed the firewall and brought the internet down constantly. It's not exactly a one click removal either. Please patch your systems now."
Talkback Most Recent of 12 Talkback(s)
-
And all my users keep wondering why
I always disable Autorun...
Michael Kelly8th Jan 2009 -
I too
have taken a ton of flack for disabling Autorun.
Users just don't seem to understand the risk.
It is a feature that should be eliminated. Forever.
mdemuth8th Jan 2009 -
ye8th Jan 2009 -
SpikeyMike8th Jan 2009 -
Thanks ZDNet!!!
I just brought up the one of my servers with W28K and made damned sure that I am completely updated today before brining it into production. Windows update automatically updated and installed the patch -- But thank you anyway, it's better to be safe and sorry.
Kromaethius8th Jan 2009 -
RE: Microsoft server worm can spread via USB
Patched since October. This is a non-issue.
Loverock Davidson8th Jan 2009 -
Uh huh.
Code Red still spreads and that's been patched for how long?
rpmyers18th Jan 2009 -
For quite a while
And the patch is out. So its not a problem either.Loverock Davidson8th Jan 2009 -
MY IDS Logs have quite a bit of traffic
from infected Code Red and Nimda machines.
Saying it isn't a problem is only looking at one facet. While MY servers aren't susceptible (Linux), the bandwidth being lost to these attacks is not insignificant.
Try as I might, I can't get my ISP to filter out all that crap.
-MikeSpikeyMike8th Jan 2009 -
Loverock Davidson8th Jan 2009
-
If it's not a problem, how come there are still infections
If there are any infected machines on the internet, it's a problem. Period. Full stop. No exceptions.
It's not Microsoft's problem, but it's still a problem.rpmyers18th Jan 2009 -
Worm infects MP3 players as well
The Downadup worm also known as Conficker infects any Windows mapped drive. This not only includes network drives but also any removable media that Windows creates a drive letter for such as some MP3 players & mobile phones. If your PC is infected it starts a service that cloaks the file from being recognised as an infected file by anti spyware programs. Scanning it records it as a clean file until you stop the cloaking service. It's a nasty pervasive little thing!!!
Dunsobarky9th Jan 2009
Talkback - Tell Us What You Think
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Facebook Activity
