AusCERT - AL-2009.0021 -- [Win] -- Update on Conficker as April 2009 activation date approaches

AL-2009.0021 -- [Win] -- Update on Conficker as April 2009 activation date approaches
Date: 26 March 2009
Original URL: http://www.auscert.org.au/render.html?cid=21&it=10702
References: AU-2009.0013

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2009.0021 -- AUSCERT ALERT
                                   [Win]
       Update on Conficker as April 2009 activation date approaches
                               26 March 2009

===========================================================================

        AusCERT Alert Summary
        ---------------------

Operating System:     Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4250
Member content until: Wednesday, April 01 2009

OVERVIEW:

       The Conficker/Downadup worm, which spreads on Microsoft Windows, is 
       set to become "active" on April 1st. 


IMPACT:

       The worm was released shortly after Microsoft published the out of 
       cycle bulletin MS08-067 [1]. The worm, named Conficker and also 
       known as Downadup, leverages the ability to remotely execute 
       arbitrary code on the targeted system. The worm will also attempt to 
       brute force weak passwords or install itself on the admin share of a 
       networked computer. It will also infect removable media in order to 
       propagate itself.

       Conficker has been quite dormant in terms of activity, making it 
       harder to detect the infection. Self propagation has been its only 
       goal thus far.

       The latest version Conficker.C is set to become active on April 1st
       2009. At this stage the exact nature of the activity that will occur
       after this date is unknown. What is known is that the malware will
       start querying domains looking for a digitally signed payload. It
       is imperative that administrators take action in preparation for 
       this to minimise the impact of this worm. A detailed analysis of 
       the C variant is available from sri.com. [2]


MITIGATION:

       The worm has spread by a number of vectors:

         * via the MS08-067 vulnerability in the Windows Server Service
         * via removable hardware which utilises the Autorun/Autoplay
           functionality
         * via weak passwords used on network shares

       In order to mitigate this threat it is recommended that 
       administrators take the following action:

         * Apply Microsoft's patch to MS08-067 [1]. The inability for a 
           machine to do so may indicate infection.
         * Disable Autorun/Autoplay. Ways to correctly disable this 
           functionality can be found in ESB-2009.0076. [3]
         * Ensure that your organisation uses strong passwords. Please
           see our previous blog on Conficker which includes a list of the 
           passwords the worm attempts as well as our publication on 
           choosing strong passwords. [4]
         * Ensure all AV products are up-to-date and working correctly. One
           of the visible signs that a machine is infected is that it will
           disable the AV and prevent users from browsing to a number of AV
           sites including, but not limited to, F-Secure, Symantec and 
           McAfee.


REFERENCES:

       [1] AusCERT - AL-2008.0110
           http://www.auscert.org.au/10008

       [2] An analysis of Conficker C
           http://mtc.sri.com/Conficker/addendumC/

       [3] AusCERT - ESB-2009.0076
           http://www.auscert.org.au/10393

       [4] Conficker/Downadup Worm attracts much media attention
           http://www.auscert.org.au/10412

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFJyyHINVH5XJJInbgRAnoyAJ48EwRjKezzLWIlMcDt8VCXOH6OyACbBLxa
rIO5oeBOF5VA9fNs+xuNJCM=
=Dhd5
-----END PGP SIGNATURE-----