Incident Response, Network Security, Patch/Configuration Management, TDR, Vulnerability Management

New Neeris worm variant imitates spread methods of Conficker

Microsoft researchers are warning of a new malware variant that has been customized to exploit the same vulnerability as the notorious Conficker worm.

The Neeris worm, which has been circulating for about four years, now is copycatting the infectious Conficker worm, according to a Friday blog post from researchers Ziv Mador and Aaron Putnam. A new Neeris variant began popping up last week -- this one customized to exploit the same Windows Server service vulnerability as Conficker. That flaw was patched last October by security bulletin MS08-067.

The similarities between Neeris and Conficker don't end there. The researchers said Neeris, like Conficker, also can spread via AutoRun, a Windows feature that enables files or programs to immediately run when a removable media device, such as a USB stick or CD-ROM, is connected to a computer. Many experts attribute this propagation method to the precipitous rise of Conficker infections earlier this year.

"It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products,'" the researchers wrote.

While Neeris is nowhere close to Conficker in terms of infected nodes, at least one major U.S.-based company has experienced a massive outbreak, Jimmy Kuo, principal architect of the Microsoft Malware Response Center, told on Monday. He did not know which one.

"It is definitely in the wild," Kuo said.

Neeris' earliest variants mostly spread via MSN Messenger, an instant messaging application, and by exploiting another server service vulnerability, patched in August 2006 by the MS06-040 bulletin. Later variants, though, began propagating through other means, such as removable drives and SQL servers with weak passwords.

The newest bot variant spreads via the latest server service vulnerability and leverages port 449 to attempt to contact a command-and-control server.

Security experts, though, told on Monday that Neeris' new variant does not figure to pose much of a problem because most people have applied MS08-067.

"That's a pretty well worn-out issue," said Ken Dunham, director of global response for security firm iSight Partners. "It's not really a hot vector anymore for spreading."

He said he is more concerned about cybercrooks using the so-called sneakernet vector, in which a thief transfers malicious code from one machine to the next, usually by way of removable media.

To protect against the worm, organizations should take the same steps as they did with Conficker, according to Microsoft. That includes installing MS08-067 and disabling AutoRun, if possible.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.