A notice has appeared on the official Windows Malware Protection Centre: Threat Research & Response Blog detailing a new potential threat to security in the form of a worm labelled the Win32/Conficker.A.
The worm has the potential for remote code execution and has mainly been affecting corporate networks however some several hundred home users have also been affected. Due to a massive increase in security reports there was a critical security bulletin outlining a vulnerability in MS08-067 being exploited by malware.
The threat level issued was critical and there are reportedly no symptoms apart from software security notifications. The worm accesses a network via an indiscriminate port then acts as a temporary web server which downloads a copy of the worm from an http, creating a jpeg extension on the local server. Interestingly the worm then corrects the vulnerability so that other forms of malware do not exploit the same hole.
Microsoft is recommending that customers apply the security update immediately which addresses the way in which RPC requests are processed. The more recent platforms such as Vista and Windows Server 2008 are rated as important however other earlier platforms are rated as critical as the worm can gain code access and cause serious problems for all networks.
There are a number of bots that are collectively referred to as Backdoor:Win32/IRCbot.BH which gain access through the same path of RPC requests, installing a backdoor Trojan linked to an IRC server from which damaging commands can be made. The worm has only really affected North and South America, mainly hitting in the US. Bizarrely computers from Ukraine seem to be immune.
Related posts: