Conficker, Downadup, Kido: A skunk by any other name
The vulnerability that's enabled the new Downadup (or Conficker or Kido or whatever) worm was patched back in October of last year. Still, because at least 9 million machines that haven't been patched are now infected, here's what you need to know.
Windows of all shapes and sizes. The worm targets them all: Win95, Win98, Windows Me, NT, XP and Vista, along with Windows 2000, Windows Server 2003, and Windows server 2008. Oh, and Windows 7 pre-beta.
Right to the heart of the system. The vuln, as mentioned, was patched back in October when a private entity revealed it to Microsoft (after, allegedly, a few earlier sorties against the hole by party or parties unknown). The company announced it in Security Bulletin MS08-067 and patched it in an out-of-band fix -- that is, one that got pushed out to the masses not on Patch Tuesday; it was that urgent. The problem lies in the way netapi32.dll handles RPC requests and resides in the Windows Server service. (Say it with me, bug hunters: Stack buffer overflow vulnerability. It's like a broken record with these vulns sometimes.)
A multi-tentacled menace. The Windows Server service affected by the vuln runs with System privileges, so the potential for mayhem is spectacular. The worm copies its executable to the Windows system directory, then creates a service to cause it to be run whenever Windows starts up and modifies the Registry.
Once it's in, it starts infecting other machines by picking a TCP port and launching an HTTP server, getting other machines' IP addresses and attempting that buffer overrun. (In this process, the worm undertakes a brute-force attack to gain access to the Administrator account; a list of attempted passwords at Viruslist.com makes for some embarrassing reading.) The buffer overruns, code is launches to download the worm, and the circle of malware life begins anew.
The worm's astute about disabling the services and notifications that could make note of its presence, even blocking access to a slew of security-related Web sites that could flag the problem: Windows Automatic Update Service, Background Intelligent Transfer Service (BITS), Windows Security Center Service, Windows Error Reporting Service and Windows Error Reporting Service. It disables Windows Defender and blocks any Security center notifications. It flushes any System Restore points the user happens to have created on the machine, further disguising its presence. And it knows how to call out to search engines to find the latest copies of itself or whatever other payload its keepers have to offer.
Rumors that it broils your puppy and knocks up your sister were unconfirmed at press time.
By any other name. Yes, it would be lovely if anti-malware companies could get it together on naming this schmutz. In the meantime, Computer Associates calls it Win32/Conficker and reports, so far, an A and a B version. F-Secure calls it W32/Downadup.A. Sophos calls it Mal/Conficker-A. Symantec calls it Conficker except when they're calling it W32.Downadup (thanks, guys). Kaspersky, to keep things interesting, calls it Net-Worm.Win32.Kido and reports several variations. Secunia dubbed it the Microsoft Windows Path Canonicalization Vulnerability. CERT covered it in Technical Cyber Security Alert TA08-297A. And NIST's Common Vulnerabilities and Exposures database, where the data is still under review, calls it CVE-2008-4250.
You don't have to be part of the problem. Patch. You're three months behind schedule. Barring that, SecuriTeam reported back in October that there's a workaround -- disable the Server and Computer Browser services on the machine (s), and block ports 139 and 445 at the firewall.