Rapid7 warned of a sophisticated new Internet worm that threatens to steal personal and financial information from infected PCs. Within the previous two weeks the worm, Downadup (also known as "Conflicker" and "Kido") struck an estimated nine million machines worldwide. Fortunately, mitigation is easy.
Downadup takes advantage of a flaw in a Remote Procedure Call (RPC) within Windows Server. Using a rare out-of-cycle patch, Microsoft addressed this flaw in October 2008 by issuing Microsoft Security Bulletin MS08-067 and warned then that a similar RPC flaw back in 2003 had been used to produce the Blaster worm.
According to a SANS Internet Storm Center Diary entry on January 15, 2009, Downadup uses multiple vectors to infect PCs. Windows PCs not patched in October are especially vulnerable. However, new Downadup variants include the ability to crack administrator passwords and directly infect corporate PCs via network shares. Finally, Downadup can also infect removable drives, such as USB or external hard drives.
Once a Windows system is infected, Downadup attempts to download malicious software. What makes Downadup different is that it randomly generates up to 250 random URLs each day, with only one of those URLs being active. The active or "control" server is then used to download the malicious programming although for what purpose remains unclear.
The best protection is to install the MS08-067 patch if you haven't already done so, and to also change your administrator passwords immediately.
If your computer is already infected, most antivirus products and even Microsoft's free Malicious Software Removal Tool should be able to remove Downadup.
0 comments:
Post a Comment