Because Windows has more holes than a slab of Swiss cheese, another worm has found its way down into the warm, gooey center.
ZoomAccording to a Microsoft blog, the number of attacks from Win32/Conficker.A has increased over the last few days. The funny thing is, Microsoft already addressed the security hole with update MS08-067 released back in October. But despite the recent patch, the malware is currently focusing on corporations, and has even appeared on several hundred home PCs.
"It opens a random port between port 1024 and 10000 and acts like a web server," says Microsoft’s Ziv Mador. "It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll."
In the blog, Mador explains that the worm patches the vulnerable API in memory so that the current host machine will no longer be vulnerable. While this may sound unusual for malware, this in fact ensures that no other malware will infect the system while the worm resides in the bowels of Windows. Mador also noted that there are several IRC bots exploiting the security hole patched by MS08-067.
"We detect them as Backdoor:Win32/IRCbot.BH," he said.
Win32/Conficker.A creates a copy of itself in the %System% directory, using a random file name, when executed. If the worm infects a Windows 2000 machine, it injects code into the "services.exe" process; if the platform is another Windows operating system, the worm creates a new service called netsvcs. The worm then goes online and connects to trafficconverter.biz and attempts to download and execute loadadv.exe. CA rates its treat assessment as medium in destructiveness and pervasiveness, but low in overall risk; Symantec also rates the worm as medium and low.
Reports surrounding the infestation mainly originate in the States, however other countries include Germany, Spain, France, Italy, Taiwan and eight others are coming in as well. Surprisingly, the worm has avoided Ukrainian altogether, as Microsoft states that no cases of infections have been reported in that country.
Microsoft said that it will continue to monitor the situation, however consumers should install MS08-067 if they have not already done so.