News

Conficker Worm Still Wreaking Havoc on Windows Systems

Users of Windows Server service that haven't patched a previously disclosed worm hole (MS08-067) are taking a big risk.

• By Jabulani Leffall
• January 14, 2009

Microsoft on Tuesday released its January security update. However, the company is still trying to get Windows pros to fix an issue that first appeared as an out-of-band bulletin back in October. That patch was supposed to take care of a remote code execution (RCE) exploit in remote procedure call requests (RPC) that could affect a whole network if harnessed by hackers.

These stepped-up warnings from Microsoft come after independent ITSec shop Panda Security said in several reports that Windows users haven't seen the last of the RCE exploit. Both Panda and Symantec officials have said they've seen increased attacks, as well as a growth in malware, deriving from Conficker attacks.

In cases where the security patch hasn't been applied, Conficker-type bugs can ding Windows-based PCs with malicious RPC packets. Specifically, the bug allows corrupt subroutines on a network to be executed automatically. The worm can affect Windows 2000, XP and Vista operating systems, as well as Windows Servers 2003 and 2008.

Because this month's patch cycle was so thin, now might be the moment to look seriously at the October fix, experts say.

"For administrators who failed to patch the RPC vulnerability that was reported back in October 2008, this is the best time to go back and patch the issue," said Paul Henry, security and forensic analyst for endpoint security outfit Lumension. "Security experts are starting to see new variants appearing in the wild for this. We're seeing more widespread use of the vulnerability today than we did back in October."

The fact that so many Windows systems seem to be at risk raises questions about security patch turnaround times in the enterprise. A Qualys survey found that more than 50 percent of machines get patched after approximately 30 days.

"After that period, we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing," said Wolfgang Kandek, chief technology officer of Qualys Inc. "Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later."

Kandek sees a general lack of alarm among IT pros.

"We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching."