Risk
3/30/2009
07:18 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Homeland Security Keeps Tabs On Conficker Worm

The agency's US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners.

As computer security firms play down the risk posed by the Conficker/Downadup worm, the Department of Homeland Security on Monday released a DHS-developed detection tool to help organizations scan for computers infected by the worm.

The DHS US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners. It's being made available through the Government Forum of Incident Response and Security Teams Portal and to private-sector partners through various Information Sharing and Analysis Centers.

DHS expects to continue its outreach efforts in the days to come.

US-CERT director Mischel Kwon said in a statement that while other worm-mitigation tools are available, this is the only free tool available for enterprises like government agencies.

"Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others," he said.

Last week, Luis Corrons, director of PandaLabs, urged Internet users not to panic, as did representatives from other security companies, many of which offer worm-mitigation tools for consumers.

But some may panic anyway and a malware group is ready to take their money. F-Secure reports that the domain remove-conficker.org was registered on Monday to sell fake security software.

The Conficker/Downadup worm attempts to exploit a Microsoft Windows vulnerability that was patched (MS08-067) last October. Since then, it has been updated several times. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

The worm is supposed to get a code update on April 1 that may make it harder to disrupt. Infected machines previously polled 250 domains daily to see whether to execute new commands. Security researchers who have analyzed the worm's code believe that on Wednesday infected machines will start scanning 500 out of 50,000 domains for update information.

It's not clear whether this will cause the botnet created by the worm to take action. Until now, the botnet has been dormant.

Somewhere between 1 million and 2 million computers are actively infected, according to F-Secure. At the worm's peak, almost 9 million computers were infected.


2009 marks the 12th year that InformationWeek will be monitoring changes in security practices through our annual research survey. Find out more, and take part.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.