New Neeris worm variant imitates spread methods of Conficker

Share this article:
Microsoft researchers are warning of a new malware variant that has been customized to exploit the same vulnerability as the notorious Conficker worm.

The Neeris worm, which has been circulating for about four years, now is copycatting the infectious Conficker worm, according to a Friday blog post from researchers Ziv Mador and Aaron Putnam. A new Neeris variant began popping up last week -- this one customized to exploit the same Windows Server service vulnerability as Conficker. That flaw was patched last October by security bulletin MS08-067.

The similarities between Neeris and Conficker don't end there. The researchers said Neeris, like Conficker, also can spread via AutoRun, a Windows feature that enables files or programs to immediately run when a removable media device, such as a USB stick or CD-ROM, is connected to a computer. Many experts attribute this propagation method to the precipitous rise of Conficker infections earlier this year.

"It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products,'" the researchers wrote.

While Neeris is nowhere close to Conficker in terms of infected nodes, at least one major U.S.-based company has experienced a massive outbreak, Jimmy Kuo, principal architect of the Microsoft Malware Response Center, told on Monday. He did not know which one.

"It is definitely in the wild," Kuo said.

Neeris' earliest variants mostly spread via MSN Messenger, an instant messaging application, and by exploiting another server service vulnerability, patched in August 2006 by the MS06-040 bulletin. Later variants, though, began propagating through other means, such as removable drives and SQL servers with weak passwords.

The newest bot variant spreads via the latest server service vulnerability and leverages port 449 to attempt to contact a command-and-control server.

Security experts, though, told on Monday that Neeris' new variant does not figure to pose much of a problem because most people have applied MS08-067.

"That's a pretty well worn-out issue," said Ken Dunham, director of global response for security firm iSight Partners. "It's not really a hot vector anymore for spreading."

He said he is more concerned about cybercrooks using the so-called sneakernet vector, in which a thief transfers malicious code from one machine to the next, usually by way of removable media.

To protect against the worm, organizations should take the same steps as they did with Conficker, according to Microsoft. That includes installing MS08-067 and disabling AutoRun, if possible.

Share this article:

Sign up to our newsletters

More in News

Medical transcription provider settles data security charges

GMR Transcription Services in California agreed to settle FTC charges related to its security practices.

Researcher hacks network connected devices in own home

Researcher hacks network connected devices in own home

In his own home, a researcher was able to hack various network connected devices that are not computers and mobile phones.

Study: Most higher ed malware infections attributed to 'Flashback'

Study: Most higher ed malware infections attributed to ...

Flashback caused a stir in 2012 when some 650,000 Macs were infected with the malware.