Archive

Archive for the ‘conficker’ Category

Protect your PC from the Conficker worm

May 10th, 2012 No comments

The most recent Microsoft Security Intelligence Reports (SIR) describes the ongoing threat of the Conficker worm and urges businesses and individuals to apply security updates.

Microsoft first recognized the Conficker threat in November 2008 and since then the Microsoft Malware Protection Center has been regularly releasing security updates to help protect against Conficker. The worm continues to spread when businesses and individuals don’t install these patches and update their systems and the use of weak passwords in the business sector environment. The worm was also able to infect large numbers of computers when system administrators used the Autorun feature in Windows XP and Windows Vista and through the use of weak passwords.

Think you’re computer or network is infected with Conficker? Get clean up tips.

Read the latest Security Intelligence Report

May 1st, 2012 No comments

Last week Microsoft released Volume 12 of the Security Intelligence Report (SIR) which covers our research of software vulnerabilities, exploits, and malicious and potentially unwanted software from July – December 2011.

One of the main focuses of this version of the report is the ongoing threat of the Conficker worm, which threatens businesses and large organizations who use weak passwords or do not install updates to their systems.

Over the next month we’ll explore the Conficker threat and other highlights from the SIR, including how to avoid scareware and how you can prevent unwanted software with free tools from Microsoft.

Download SIR Volume 12.

Download the key findings from SIR Volume 12.

SIRv12: The obstinacy of Conficker

April 25th, 2012 No comments

Conficker is one of the most significant threat families facing organizations worldwide today; its initial impact along with its continued obstinacy shows that clearly. In the fourth quarter of 2011 – three years after its initial release – it attempted to infect just over 1.7 million computers. Conficker’s persistence is illustrated not only by the number of computers it has attempted to infect, but also by the nearly 59 million attacks launched against those computers in the fourth quarter of 2011. But perhaps the most interesting manifestation of its obstinacy is that it has been the number one threat facing businesses for the past two and a half years.

Conficker affects a higher percentage of business computers than consumer computers

Figure 1. Conficker affects a higher percentage of business computers than consumer computers

The nature of how later Conficker variants spread is the key to understanding what makes the worm so much more of an issue for businesses than for consumer users. Initially the worm spread through the Internet solely by exploiting a software vulnerability in the Windows Server service that had been addressed months earlier in Microsoft Security Bulletin MS08-067. About one month later, Conficker was updated to spread using the Autorun feature and weak passwords or stolen login tokens. The use of weak passwords and stolen login tokens was the change that gave it a foothold in the business sector environment.

Once later variants of Conficker infect a computer, they attempt to spread by copying themselves into administrative shares of other computers on the network. First the malware tries to use the current user’s credentials to copy itself, but if that fails it attempts to exploit weak passwords; the worm uses a pre-existing list of common weak passwords that it carries with it. If that fails, Conficker remains dormant until new credentials are available. If a remote administrator logs into the infected computer to try to clean it or diagnose problems caused by the worm, Conficker uses the administrator’s login token to infect as many computers as possible. The combination of these credential-based attacks accounted for 100% of all recent infection attempts from Conficker targeting Enterprise Microsoft Forefront Endpoint Protection users on Windows 7 and Windows Vista platforms.

How Conficker spreads through corporate networks

Figure 2. How Conficker spreads through corporate networks

Despite Microsoft removing Conficker from approximately 283,000 computers per quarter on average for the past year, the worm continues to be persistent. As an illustration of this, the average number of attacks per system throughout 2011 is on the rise. During the first quarter of 2011 the average number of times Conficker attacked a single computer was 15, but by the fourth quarter that number had more than doubled to 35.

The average number of Conficker attacks per system is on the rise

Figure 3. The average number of Conficker attacks per system is on the rise

One of the primary ways to defend against Conficker is by enforcing a strong password policy. A single computer with a weak password could easily be enough to cause a major disruption inside a corporate network, especially considering the increasing trend in the number of Conficker attacks per computer. If the worm does get inside a network, a good guide to cleaning it out can be found in the How-to: Removal of Conficker in your FCS environment blog post. Along with strong passwords, it is important to keep systems up to date by regularly applying available updates for all software being used and to use antivirus software from a trusted source, and make sure AV signatures are regularly updated.

You can find more information there on the obstinacy of Conficker in our latest Microsoft Security Intelligence Report volume 12 that launched today, as well as other global and regional trends in Internet security.
 
– Joe Blackbird, MMPC

 

Categories: conficker, MS08-067, SIR v12, weak passwords Tags: