Conficker is a work of malware that, in the form of multiple variants, has been worming its way through unpatched Windows desktop and server machines for the last four months.
In October 2008 Microsoft released a fix for the vulnerability that Conficker exploits. Windows machines have remained unpatched for Conficker to spread to what security researchers estimate to be millions of machines.
The prescription for Conficker prevention is prompt system patching, combined with client firewall and antivirus software for blocking the worm's activities and detecting and eliminating the malware where it surfaces.
Members of the computer security community have prepared a set of freely available tools to aid in Conficker detection and removal for infected systems on your network.
Moreover, because Windows Vista and Windows Server 2008 machines have proven to be significantly less vulnerable to Conficker than systems running Windows 2000, XP and Server 2003, the worm also highlights the very real consequences of stepping off the so-called operating system upgrade treadmill. For all its hardware refresh requirements, potentially unwanted feature adjustments and software incompatibility wrinkles, Vista includes security enhancements that blunted the effect of Conficker on unpatched systems.
How Does Conficker Work?
Conficker's primary means of propagation involves exploiting buffer overflow vulnerability in Windows' Server system service, which is responsible for, among other things, enabling the sharing of local resources, such as disks and printers, with other machines on a network.
Conficker exploits this vulnerability to execute code on Windows systems, without requiring a system's user to open any file or visit any particular Web site--and without regard to whether a user is running with administrative or limited privileges.
Windows 2000, XP and Server 2003 are particularly vulnerable to Conficker because the affected Server service on these systems is configured to permit access from anonymous users. In October 2008, Microsoft provided information on removing the ACL (access control list) entry that permits this anonymous access, but since the ACL involved is hard-coded into the Windows DLL, this access modification would have had to be made after every boot.
With Windows Vista, Windows Server 2008 and the development builds of Windows 7, the vulnerable service limits access to authenticated users by default, but enabling the no-password file-sharing option on these systems would restore anonymous access--and vulnerability to Conficker.
Unpatched Windows XP SP2, Vista and Server 2008 machines shipped out-of-the-box with Windows' firewall enabled to block the vulnerable RPC (remote procedure call) interface, but the common firewall exception that enables file and print sharing opened the door to Conficker. Even with a firewall exception, however, Vista and Server 2008 machines would allow access to the vulnerable service only from other machines in the same network zone. For instance, sharing a resource on a Private network would not permit access to Conficker-infected nodes.
Firewall and service authentication requirements aside, Windows Vista and Server 2008 worked to mitigate Conficker infection with Address Space Layout Randomization, which, combined with the Data Execution Protection functionality introduced in XP SP2, makes it significantly more difficult to exploit buffer overflow vulnerabilities such as the one targeted by Conficker.
More on Technical news >>
0 comments:
Post a Comment