MS08-067 OOB Patch – Conficker – Downadup worm

AV vendor F-Secure estimates that over 8 million systems have been infected with a variant of the Conficker worm known as ‘Downadup’. This worm leverages the security vulnerability addressed by the Microsoft out-of-band patch MS08-067 released in October 2008.

The worm spreads by accessing computers over the NetBIOS\SMB ports 139 and 445. It can also infect computers via malicious code on USB devices. Once a computer is infected it scans the local network looking for other machines to infect. If it can’t propagate to other systems via the vulnerability, it attempts to logon to the admin$ share by brute-forcing username\password combinations until it mounts the hard drive.

Once infected, the worm turns off the Windows Update service – thereby preventing the machine from obtaining the very patch that would have prevented the initial exploitation. The worm also denies Internet access to the websites of many different security vendors. Attempting to go to your AV or security vendor of choice to download detection or removal tools will be blocked by this worm. (The Shavlik domain is not blocked by the worm.) The worm is also known to modify the Windows firewall settings to allow access to the computer via specified ports.

Finally, the worm ‘phones home’ to see if the malware authors have published any instructions to their army of infected ‘zombies’. To date, no instructions have been released, however, there is a concern in the security community that infected machines may be instructed to ‘wake up’ and perform malicious acts at some point in the future.

Users are encouraged to install the MS08-067 patch as soon as possible – recognizing that the built-in windowsupdate agent functionality may not function if the machine has already been infected. Microsoft has also released an updated malicious software removal tool that removes some variants of the Conficker worm.

Additional information about the details of the worm can be found on the F-Secure blog here:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: