Microsoft's Security Response Center and McAfee are warning on increased network scanning activity during the last couple of days courtesy of the very latest W32/Conficker.worm exploiting the already patched MS08-067 vulnerability. What's particularly interesting in the latest wave of copycat worms is that W32/Conficker.worm is patching the infected host in order to ensure that competing malicious parties wouldn't be able to get in using it. How nice of them.
"This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too."
The public release of the proof of concept code in September, prompted an immediate reaction by international underground communities releasing several different modifications of the exploit, with the Chinese to be first to release a do-it-yourself tool allowing subnet scanning and automatic exposure to malware hosted on a third-party server. At first, the tool was released with commercial intentions with its authors charging $37.80, however, just like the majority of proprietary web malware exploitation kits, several days later the tool leaked to the general public. From a strategic perspective, whereas such DIY tools indeed empower low-profile cybercriminals, the real danger comes from scanning modules introduced within larger botnets.