Gladiator Research and Security

GSA Reference Number: AD090330-01

Simply Put: A small media frenzy has been created as many security professionals and groups have released research which indicates that the Conficker worm will be changing the way it works on April 1st, 2009.  On April 1st, Conficker will be reconfiguring its updating functionality, making it easier for infected machines to receive updates.  While the code update is important news, researchers have found no indication of an attack beginning on April 1st.  These updates will be occurring to machines that are already infected.  However, the risk of a new Conficker infection is something that is always prevalent.  April 1st will certainly be an important date to monitor network traffic, but the Conficker worm will be just as dangerous before and after April 1st, as many of Conficker’s attack and propagation techniques have been very effective to date.

Recently, researchers have discovered millions of PC’s that have been infected with the Conficker worm, also commonly known as Downup and Downadup.  Conficker is a rather nasty worm that can quickly spread itself around networks once entering in a few possible ways.  The majority of systems are first compromised via a vulnerability in Microsoft’s Server service.  This vulnerability, described in MS08-67, could allow remote code execution through specially crafted NETBIOS traffic.  The worm has also been found on compromised web servers and can be installed when users try to view web pages served by the compromised server.