Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: analysis of the Conficker worm ..

Hash: SHA1

____/ Doug Mentohl on Monday 23 February 2009 15:50 : \____

> Conficker is one of a new interesting breed of self-updating worms that
> has drawn much attention recently from those who track malware ..
> The exploit employs a specially crafted remote procedure call (RPC) over
> port 445/TCP, which can cause Windows 2000, XP, 2003 servers, and Vista
> to execute an arbitrary code segment without authentication.  The
> exploit can affect systems with firewalls enabled, but which operate
> with print and file sharing enabled ...
> Conficker .. checks for the presence of a firewall.  If a firewall
> exists, the agent sends a UPNP message to open a local random high-order
> port ..
> Next, it opens the same high-order port on its local host .. This
> backdoor is used during propagation, to allow newly infected victims to
> retrieve the Conficker binary.
> http://mtc.sri.com/Conficker/
> What is XML-RPC? It's a spec and a set of implementations that allow
> software running on disparate operating systems, running in different
> environments to make procedure calls over the Internet.
> http://www.xmlrpc.com/
> I am very suspicious of tools that allow you to bypass network security
> systems. Yes, they make life easier. But if security is important, than
> all security decisions should be made by a central process; tools that
> bypass that centrality are very risky ...
> http://www.schneier.com/blog/archives/2005/07/microsoft_build.html

Conficker already has undetectable siblings (variants). We're only seeing the
beginning of this saga and amid meltdown, the last thing businesses and
hospitals need is to become a sub-botnet.

- -- 
                ~~ Best of wishes

Roy S. Schestowitz      | Gas, brake, honk! Honk, honk, punch! Gas, gas!
http://Schestowitz.com  |  Open Prospects   |     PGP-Key: 0x74572E8E
Tasks: 140 total,   1 running, 139 sleeping,   0 stopped,   0 zombie
      http://iuron.com - knowledge engine, not a search engine
Version: GnuPG v1.4.9 (GNU/Linux)


[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index