Symantec Global internet Security threat report
Of significant note regarding this propagation method is Downadup. Since november 2008 it has risen to be the sixth-ranked staged downloader component and, overall, the fifth-ranked potential infection for 2009. As noted earlier, there were more than 1.5 million infection counts of the Downadup worm observed by Symantec in December 2009 alone, and it was estimated that Downadup was on more than 6 million pCs worldwide at the end of 2009, even though Microsoft issued a patch for it on October 23. 2008.174
Downadup exploits a vulnerability in Microsoft Windows that allows attackers to remotely gain administrative privileges on computers. Microsoft states that there were limited and targeted attacks up to two weeks prior to patching the issue.175 proof-of-concept exploit code was released October 24, 2008, and the first worm exploiting the vulnerability was Wecorl,176 which was discovered on november 2, 2008. Downadup was discovered on november 21. Approximately four weeks elapsed between the availability of the patch addressing the vulnerability that Downadup exploits and Downadup’s discovery.
the A and B variants of Downadup account for the vast majority of infections worldwide, with Downadup.C infecting less than half a million computers by the end of 2009. Successive variants after C affect even fewer computers.
the success of Downadup illustrates that, even though there are small numbers of samples that exploit vulnerabilities, they have great success in compromising unpatched computers. End users and enterprises should ensure that vulnerabilities in affected software are patched as soon as fixes are available. the continuing prevalence of the older A and B variants of Downadup, in particular, illustrate the importance of software updates. intrusion prevention systems and antivirus software can help protect against malicious code that exploits vulnerabilities for which no patch is available.
Malicious code—protection and mitigation
it is critical that end users and enterprises maintain the most current antivirus definitions to protect against the high quantity of new malicious code threats. iDS, ipS, and other behavior-blocking technologies should also be employed to prevent compromise by new threats. Using a firewall can also prevent threats that send information back to the attacker from opening a communication channel.
Symantec recommends that certain best security practices always be followed to protect against malicious code infection. Administrators should keep patch levels up to date, especially on computers that host public services and applications—such as Http, Ftp, SMtp, and DnS servers—and that are accessible through a firewall or placed in a DMZ. Email servers should be configured to only allow file attachment types that are required for business needs and to block email that appears to come from within the company, but that actually originates from external sources. Additionally, Symantec recommends that ingress and egress filtering be put in place on perimeter devices to prevent unwanted activity.
174 175 176
See http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker and http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx http://blogs.technet.com/msrc/archive/2008/10/23/ms08-067-released.aspx http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-110306-2212-99