MS08-067 Attacks Arrive En-Masse
It has taken just on a month for the first real significant level of attacks against Microsoft's Critical out-of-cycle patch (MS08-067) to arrive. Microsoft's Malware Protection Center and many security companies are busily spreading word about the increase in attacks.
It is possible that the prediction that the week of ThanksGiving is the peak for system infections might just hold up.
From analysis performed by Microsoft, McAfee, Symantec, and others, the worm is known to do the following:
- Delete user-created System Restore points
- Ascertains the current date from a number of major search engines
- Generates a list of domains based on the date result
- Contacts these generated domains for data and additional files
- Effectively acts as a web server
- Propagates to random systems on the same network through the same vulnerability
Once the system has been infected, the worm actually patches the vulnerable system calls so that other malware targeting the same vulnerability can not successfully infect the system over the top of the worm.
Somewhat interestingly, the worm is reported to be avoiding infecting Ukraine-based systems, something which might give some insight into who created the worm and why.
The worm is being alternatively described as Downadup or Conficker by different antimalware companies, but it is all the same. There are also several bots that are targeting the vulnerabilities patched in MS08-067.
If the MS08-067 patch has not yet been applied, it is critical that it is applied as soon as possible.
27 November 2008
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.Comments will soon be available for registered users.