Archive for January, 2009

MS08-067 OOB Patch – Conficker – Downadup worm

AV vendor F-Secure estimates that over 8 million systems have been infected with a variant of the Conficker worm known as ‘Downadup’. This worm leverages the security vulnerability addressed by the Microsoft out-of-band patch MS08-067 released in October 2008.

The worm spreads by accessing computers over the NetBIOS\SMB ports 139 and 445. It can also infect computers via malicious code on USB devices. Once a computer is infected it scans the local network looking for other machines to infect. If it can’t propagate to other systems via the vulnerability, it attempts to logon to the admin$ share by brute-forcing username\password combinations until it mounts the hard drive.

Once infected, the worm turns off the Windows Update service – thereby preventing the machine from obtaining the very patch that would have prevented the initial exploitation. The worm also denies Internet access to the websites of many different security vendors. Attempting to go to your AV or security vendor of choice to download detection or removal tools will be blocked by this worm. (The Shavlik domain is not blocked by the worm.) The worm is also known to modify the Windows firewall settings to allow access to the computer via specified ports.

Finally, the worm ‘phones home’ to see if the malware authors have published any instructions to their army of infected ‘zombies’. To date, no instructions have been released, however, there is a concern in the security community that infected machines may be instructed to ‘wake up’ and perform malicious acts at some point in the future.

Users are encouraged to install the MS08-067 patch as soon as possible – recognizing that the built-in windowsupdate agent functionality may not function if the machine has already been infected. Microsoft has also released an updated malicious software removal tool that removes some variants of the Conficker worm.

Additional information about the details of the worm can be found on the F-Secure blog here:


Leave a comment »

More information, and an official apology, on MS09-001

I’ve received queries from press, end users, and vendors about my commentary on patch Tuesday and would like to take this time to provide some background on what lead to my comments as well as a slightly tempered position on the patch itself.

On patch Tuesday, I read the 09-001 bulletin. Upon reading about the issue I immediately got a bad feeling about it. Unauthenticated exploitation via SMB protocol is really bad. Prior history shows that this can lead to really evil things, including events similar to blaster and sasser.

Our PR firm was hounding me to push out commentary to the press, so I gave them what I knew (see below). My commentary was spot on – at least with as much as was what written in the security bulletin itself (

It wasn’t until a few hours later when I was able to catch my breath and do further perusal that I stopped by to view Microsoft’s short version of the security bulletins for January ( In this spot, they include the exploitability index for each of the bulletins released during the month. For MS09-001, they rated it a ‘3 – functioning exploit code unlikely’. They also included a link to a blog post with more information (

In this blog post, Microsoft explains that the likelihood of exploitation is mitigated by the vast amount of information that the attacker must have about a particular machine in order to exploit that machine using the 09-001 vulnerability. Specifically, they say,

“Controlling what data is overwritten is difficult. To exploit this type of kernel buffer overrun, an attacker typically needs to be able to predict the layout and contents of memory. The memory layout of the targeted machine will depend on various factors such as the physical characteristics (RAM, CPUs) of the system, system load, other SMB requests it is processing, etc.”

Had I read this before I released my patch commentary, I would have modified my comments to say,

“This is potentially a very bad flaw – but Microsoft has assured us that the knowledge required to exploit this is quite high, is unlikely to be available to the attacker, and even in those cases where the information can be obtained, the ability to actually get exploitable code is infinitesimally small, therefore the risk on this should be considered as something lower than the ‘Critical’ rating which Microsoft has assigned.”

I would have continued on to say,

“Unauthenticated SMB flaws are similar in nature to what was exploited in the Blaster and Sasser worms. While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly. Fortunately, it appears that the likelihood of a worm for this vulnerability is very low.”

And if I was feeling particularly fiesty, I would also ask,

“Why doesn’t Microsoft include the exploitability index in the bulletin itself? Why must I visit other variants of the bulletin to obtain this information, and then a third location to read details that tell me that the Critical issue of which I was alerted probably isn’t that Critical after all? Make it easy – include the Exploitability Index in the bulletin!”

So here’s my official apology for crying wolf on this issue when I should have done my due diligence and read all three Microsoft locations before offering my opinion on this issue.

That being said… you should still get this patch installed on your systems.

Leave a comment »


MS09-001 is a super critical patch to install right away. This vulnerability is similar to what prompted the blaster and sasser worms a few years ago. We expect to see a worm released for this in the very near future.

This flaw enables an attacker to send evil packets to a Microsoft computer and take any action they desire on that computer – no credentials required. The only pre-requisite for this attack to be successful is a connection from the attacker to the victim over the NetBIOS (File and Printer Sharing) ports (tcp 139 or 445). By default, most computers have these ports turned on.

While these ports are usually blocked on Internet firewalls and personal firewalls, these ports are typically left open in a corporate network. If a worm is released, and that worm makes it into a corporate network, it will make swiss cheese of that network relatively quickly.

Leave a comment »