Fw: Web Threat Alert: DOWNAD/Conficker Worm

1 view
Skip to first unread message

Jim Bolinski

unread,
Apr 1, 2009, 8:10:12 AM4/1/09
to acs-a...@googlegroups.com

Advanced Computer Solutions
(231) 933-6333
www.acs-service.com


From: Trend Micro Channel Team
Date: Tue, 31 Mar 2009 17:34:48 -0700 (PDT)
To: <j...@acs-service.com>
Subject: Web Threat Alert: DOWNAD/Conficker Worm

 
 
March 31, 2009
 
Background
The first samples for the Conficker/Kido/DownadUp (detected by Trend Micro as WORM_DOWNAD.A) were discovered in November 2008 with new samples (detected as WORM_DOWNAD.AD and WORM_DOWNAD.KK) arriving in early 2009. DOWNAD exploits a vulnerability in Windows that Microsoft patched (MS08-067) in October.
 
DOWNAD.AD added the ability to spread through network shares and removable storage devices (e.g. USB drives) using the AutoRun function in Windows.
 
DOWNAD.KK shuts down security services, blocks infected computers from connecting to security websites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer communications services, and includes an algorithm to update infected PCs.
 
What's the goal of this worm?
It appears that the goal of this worm is to create a large botnet of infected PCs so that its creators may at some point send spam, steal personal information (user IDs, passwords, credit card info, etc.) and direct users to malicious websites used for phishing or downloading additional malware.
 
What's happening on April 1st?
On April 1st, 2009, the latest variant (WORM_DOWNAD.KK) will begin to modify the way in which it communicates with other infected botnet nodes (PCs, servers), and will also increase the number of machines it attempts to contact in order to infect them. There is no evidence that the worm will do anything beyond modifying its communications methods.
Additional Information
 
Additionally, this threat is an example of the new breed of Web threats being developed by cybercriminals who use multiple techniques and protocols to infect and propagate their attacks. The Trend Micro Smart Protection Network blocks threats before they can enter the network and our correlated in-the-cloud web, email and file reputation databases allow us to quickly analyze and block new threats as they appear. Smart Protection Network powers many of our consumer, SMB and Enterprise solutions today. Learn more.
 
Need Help?
Call our Partner Hotline at
1-888-SMB-TREND (762-8736).
 
How do I know whether my customers' PCs are infected?
Instruct your customers to scan their PCs using their current Trend Micro product or HouseCall to see whether they are infected. If it is determined that they are infected, find instructions for removal below:
  •  Consumers
  • Small Business
  •  Medium Business, Enterprise
 
How do I protect my customers' PCs from being infected?
  •  Customers should immediately install patches/updates for MS08067 and other vulnerabilities as soon as vendors release these patches. They should configure their PCs to receive automatic updates and patches from Microsoft and software vendors.
  • Make sure your customers' security software is up to date.
  • Instruct customers to disable the “Drive Auto-run” feature to avoid infections from USB drives.
  • Your customers should employ secure passwords using a combination of letters, numbers and symbols and frequently change them.
  •  Educate your customers to take caution when searching online for DOWNAD and Conficker information. There are reports of rogue antivirus packages that are taking advantage of the situation. They will tell you that you are infected and ask you to pay money to download their application, which in many cases turns out to be malware.
 
Copyright © 2009 Trend Micro Incorporated. All trademarks acknowledged, all rights reserved. Trend Micro, the t-ball logo, and InterScan are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Unsubscribe from Trend Micro e-mail at any time. Legal Notice · Privacy Policy · Contact Us
http://www.trendmicro.com/
Reply all
Reply to author
Forward
0 new messages