Article

Microsoft RPC worm spreads in corporate networks

Robert Westervelt, News Editor

A Microsoft RPC vulnerability was patched in an out-of-band release in October, but organizations slow to deploy the update are learning the hard way how fast various RPC worm variants can spread through

    Requires Free Membership to View

    Login

corporate networks.

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Security vendor F-Secure Corp. said it received reports of additional successful infections of corporate networks. In several F-Secure blog posts, the security vendor said the Downadup/Conficker worms are frustratingly painful to disinfect as they lock out users from their accounts and crack passwords using a built-in dictionary.

Although the worms have spread fairly slowly on the Internet, once a corporate network is infected the worm spreads like wild fire through local area networks, USB drives and other removable media, F-Secure said.

Microsoft RPC flaw timeline:
Oct. 23 - Microsoft releases Windows patch to stop worm attack: Microsoft issued an out of cycle update, plugging a dangerous hole that could be used to craft a worm attack.

Nov. 6 - New malware exploits Microsoft RPC flaw: New malware is targeting the Microsoft RPC flaw, Microsoft warns. Companies should deploy the emergency patch immediately to prevent hacker attacks.

Dec. 1 - Microsoft learns of successful RPC worm infections: Microsoft said a number of customers are infected with worms that successfully exploit the RPC flaw and download malware.

Microsoft said it received reports from customers infected by the worm. It advises customers to deploy the patch as soon as possible. The worm attempts to connect to an IRC server to download more malware and receive additional commands from an attacker.

The software giant issued an emergency patch Oct. 23, repairing the vulnerability which left Windows systems dangerously open to attack. It was only the fourth time that Microsoft released a security patch outside of its monthly cycle. Hours after the patch release, security researchers reported the discovery of the first Trojans in the wild attempting to exploit the flaw.

Disinfection tool released

F-Secure provided a list of domains that should be blocked to prevent a worm infection. The vendor also released a tool to disinfect corporate networks.

"You must clean all of the computers within your network or else you risk reinfections. Servers first, then workstations," F-Secure said. "Disinfect, then use the manual Microsoft update to patch, then manually update your antivirus, then do a full system scan for all files."


Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top