ESET released its Global Threat Report for the month of September, 2009, identifying the top ten threats seen during the month by ESET’s ThreatSense.Net™ cloud. You can view the report here and, as always, the complete collection is available here in the Threat Trends section of our web site. While the report identifies a number
ESET released its Global Threat Report for the month of September, 2009, identifying the top ten threats seen during the month by ESET’s ThreatSense.Net™ cloud. You can view the report here and, as always, the complete collection is available here in the Threat Trends section of our web site. While the report identifies a number of different types of malware, in this article, I’d like to focus on the Conficker worm as well as the class of worms which spread via AutoRun.
While the overall percentage of reports is on the decline, the Conficker worm (also known as Win32/Conficker, Downadup and Kido) continues to make its presence known throughout cyberspace, accounting for 10.75% of detections. This was actually a slightly upswing from August’s 10.12%, but given that many businesses have employees on vacation during the summer, is not unexpected, and still below the 12.58% seen in July. The Win32/Conficker worm spreads using several vectors, such as unpatched operating systems, vulnerable network shares and via AutoRun on removable media such as USB flash drives. ESET detects the malicious AUTORUN.INF file used by the worm to spread separately from its Win32 portable executable file, and currently sees a ratio of about one AUTORUN.INF file to every 4.8 executable file detections of the worm.
While a substantial number of Conficker infestations are blocked at the removable media infection layer, there are still a large number of networks outs there where the worm is spreading. While ESET’s software does detect and remove the Conficker worm, it is important to keep in mind that anti-malware is only one component of security, and that other steps need to be taken as well in order to keep a network clean:
- If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems. It is also a good idea to install the MS08-068 and MS09-001 patches as well.
- Disable AutoRun on removable media. More about this below.
- Use strong passwords. The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares. A list is mentioned in this news article. For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here. We also have a white paper on the subject.
ESET classifies Conficker into several variants, depending upon their behavior and technology. For more information on each classification, see the following ESET Virus Encyclopedia entries: Conficker.A, Conficker.AA, Conficker.AE, Conficker.AQ, Conficker.AR and Conficker.X.
Worms continue to spread quick as a flash
The AUTORUN.INF file, a technology originally envisioned a decade-and-a-half ago to simplify the deployment of content on CD-ROMs, continues to be a top vector for malware. ESET uses a variety of heuristic algorithms and generic signatures to detect both the AUTORUN.INF files which contain links to malware—detected as INF/Autorun and coming in at third place with 7.53% detections—as well as the malware which creates them: Win32/Autorun, coming in at ninth place with 0.78%. Together, they account for 8.31% of detections seen in September, but it is important to keep in mind that other threats which spread via AUTORUN.INF files are first identified as specific threats such as Conficker, so the actual number of threats seen which make use of this technique is higher.
In order to block malware which spreads in this fashion, the option to use AutoRun on removable media needs to be disabled. This has been discussed earlier in ESET’s Threat blog here and here and US CERT, a federal agency responsible for securing the government’s computers give instructions here, as well.
Microsoft’s forthcoming versions of Windows, Windows 7 for desktops and Windows Server 2008 R2 for servers will implement this, and the change has been made available for older versions of Microsoft Windows, such as Windows XP, Vista, Server 2003 and Server 2008. For more information, including tools to apply the change, see this knowledgebase article on Microsoft’s web site.
As mentioned previously, anti-malware software is only part of the security equation. Removing this un-needed functionality from your PC instantly immunizes it against a technique used by nearly a fifth of malware out there. The tools and techniques used to disable AutoRun functionality can be applied in under a minute on a single PC and are easily scriptable so they can be employed in a managed computer environment with a minimum amount of effort. We strongly recommend doing this.
As you can see, malware relies on a number of ways to spread, some of which are solved by updating the operating system and others by changing the less-secure behavior that was chosen in less secure times to more modern secure settings.
We’ll discuss the threats we saw last month in further detail, as well as explain how to better defend yourself in a future blog article.
Aryeh Goretsky MVP, ZCSE