Malware, Network Security, Patch/Configuration Management, Vulnerability Management

Microsoft lends removal help to fend off worm outbreak

To help organizations fend off a fast-spreading worm, Microsoft has added new protection capabilities to its Software Removal Tool.

The move by the software giant comes as rates of infection by the worm -- dubbed Conficker or Downadup -- dramatically have climbed with the outbreak by a new variant earlier this month. F-Secure on Wednesday estimated that more than 3.5 million machines worldwide now are infected, an increase of one million computers over the previous day.

The removal tool, released Tuesday by Microsoft as part of its monthly security update, detects and cleans the malware, which takes advantage of a gaping -- but now patched -- hole in the Windows Server Service.

Signs of the worm first appeared in the final week of November, roughly a month after Microsoft delivered an emergency fix for the bug, which could allow remote code execution by sending a specially crafted Remote Procedure Call (RPC) request.

The new variant is having success because it has devised new methods to propagate, including copying itself to network shares by brute-force password-guessing or spreading through removable media storage devices, such as USB sticks and even cameras, said Ben Greenbaum, a senior research manager for Symantec Security Response.

"None of these are terribly new tactics, to be perfectly frank," he told on Wednesday. "[The ploy works when the] media gets moved to another computer to spread the infection. And it does work."

Microsoft researchers said Tuesday on the company's Malware Protection Center blog that the worm has infected computers across the world, with the highest number impacting machines in the United States, Mexico, France, the UK, Spain, Canada, Italy, Brazil, Korea, Germany, Malaysia and the Czech Republic.

Greenbaum said the massive infection seems to be giving rise to a huge botnet. The worm contains a complex algorithm that generates hundreds of domain names -- few of which that are live -- making it difficult to shut down command-and-control centers from which the compromised PCs receive instructions and new malware updates.

"The virus will calculate a number of different domain names and attempt to connect to them," Greenbaum said. "Every day, it will try to contact all of these. All [the malware writers] need to do is register one of these domains and control them for one day."

Experts reminded users that to avoid the threat all they must do is apply the patch, which has been out since October.

"It was an out-of-cycle patch, which should mean to any user that pays attention that this was important," he said.

Even without the fix, an up-to-date anti-virus solution should detect the worm, Greenbaum added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.