Peaches Posted January 17, 2009 Report Share Posted January 17, 2009 Jan16, 2009 Security Policy for Dummies - how to avoid WORM_DOWNAD infection "Quite a few Security Websites and Media outlets have reported on the current wave of WORM_DOWNAD.AD detections over the last few weeks. And last weekend seemed to be a busy time for the worm infecting a considerable number of machines. Whats noteworthy about this particular beastie is not only the scale of the infections (some estimates put it at over 8 million infected machines), but also the propagation techniques - a 3 pronged attack designed to exploit weak Company Security Policys. Firstly WORM_DOWNAD.AD sends exploit packets for the recent Microsoft Server Service Vulnerability to every machine on the network, and to several randomly selected targets over the Internet. This vulnerability allows remote code execution for an attacker, and effects just about every version of Windows since Windows 2000. For its next trick WORM_DOWNAD.AD drops a copy of itself in the Recycler folder (Recycle Bin) of all available removable and network drives. Next it creates an obfuscated Autorun.inf file on these drives, so that the Worm is executed simply by browsing to the network folder or removable drive (the user does not need to actually click on the file). A sign for the infection can be sometimes seen in Windows Explorer when the removable drives are shown with the folder icon instead of the usual drive icon. And then comes the icing on the cake - It first enumerates the available servers on the Network and then, using this information, it gathers a list of user accounts on these machines. Finally it runs a dictionary attack against these accounts using a predefined password list (more details here). If successful (and a scary amount of the time peoples passwords are that bad), it drops a copy of itself on their system and uses a scheduled task, also known as an AT job, to execute the worm. So why is this Worm so successful? Simple - poor security policies." More at Trend Micro: http://blog.trendmicro.com/ Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.