-----BEGIN PGP SIGNED MESSAGE-----
____/ Doug Mentohl on Monday 23 February 2009 15:50 : \____
> Conficker is one of a new interesting breed of self-updating worms that
> has drawn much attention recently from those who track malware ..
> The exploit employs a specially crafted remote procedure call (RPC) over
> port 445/TCP, which can cause Windows 2000, XP, 2003 servers, and Vista
> to execute an arbitrary code segment without authentication. The
> exploit can affect systems with firewalls enabled, but which operate
> with print and file sharing enabled ...
> Conficker .. checks for the presence of a firewall. If a firewall
> exists, the agent sends a UPNP message to open a local random high-order
> port ..
> Next, it opens the same high-order port on its local host .. This
> backdoor is used during propagation, to allow newly infected victims to
> retrieve the Conficker binary.
> What is XML-RPC? It's a spec and a set of implementations that allow
> software running on disparate operating systems, running in different
> environments to make procedure calls over the Internet.
> I am very suspicious of tools that allow you to bypass network security
> systems. Yes, they make life easier. But if security is important, than
> all security decisions should be made by a central process; tools that
> bypass that centrality are very risky ...
Conficker already has undetectable siblings (variants). We're only seeing the
beginning of this saga and amid meltdown, the last thing businesses and
hospitals need is to become a sub-botnet.
~~ Best of wishes
Roy S. Schestowitz | Gas, brake, honk! Honk, honk, punch! Gas, gas!
http://Schestowitz.com | Open Prospects | PGP-Key: 0x74572E8E
Tasks: 140 total, 1 running, 139 sleeping, 0 stopped, 0 zombie
http://iuron.com - knowledge engine, not a search engine
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
-----END PGP SIGNATURE-----