Fatma Bazargan’s blog

Various # 09-101
January 18, 2009, 11:47 am
Filed under: Security


Two worms that few security websites and media recently have reported are W32.Conficker.worm and WORM_DOWNAD.AD both have an exploit for the recent Microsoft Server Service Vulnerability (MS08-067). The W32.Conficker.worm uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself and the WORD_DOWNAD.AD it is an autorun-based malware. The way it works:

§ Sends exploit packets to all machines on network not patched against MS08-067 (patch management); once exploited;

§ The vulnerability allows remote code execution for an attacker and effects every Windows version ever since Windows 2000 (platform); then

§ Drops a copy of itself in the Recycler Folder (Recycle Bin) of all available removable and network drives (propagation); next

§ Creates an obfuscated autorun.inf file on all these drives, so the worm is executed simply by browsing to the network folder or removable drive (weak security policy); then

§ Enumerates the available servers on the network and using that information it gathers a list of user accounts on these machines (segregation); finally,

§ Runs a dictionary attack against the accounts using a predefined password list; if successful it drops a copy of itself on their system and uses a scheduled task (weak passwords – policy).


Word to Spread: even if you have one machine UNPATCHED it is enough to cause a catastrophe in the entire network. The patch has been available ever since late last year. If you haven’t patched your machines then it’s highly recommended to do so, download and install MS08-067. (Patch Management)


Another news bit: LinkedIn is a professional networking site that connects several millions of users across many different industries. It has been finally touched by cybercriminals; a close to hundred bogus profiles has been created to include links to malware domains, redirectors and droppers to cause infection; using the names and images of famous individuals such as Salma Hayak, Beyonce, Kate Hudson, and several others.  A detailed explanation can be found here.


Finally, there is an amusing list put by Lenny Zeltser from dshield about How to Suck in Information Security from, and an informative cheat sheet about Information Security Assessment RFP, worth read.



Good Day!

Fatma Bazargan


Leave a Comment so far
Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: