On Fri, Mar 20, 2009 at 1:04 PM, Kennedy, Jim <[email protected]> wrote: > Regular users on fully patched XP and you are screwed.
Hmmmm. Worrying. I just went and double-checked the various threat evaluations for Conficker. Everyone seems to be reporting about the same thing. In particular, everyone is reporting the same two infection vectors: * Scans networks and and exploits the MS08-067 Server RPC vulnerability * Copies itself to removable media * Copies itself to network shares (available to user, or with weak passwords) * Uses AUTORUN.INF for automatic or unwitting execution on media insertion or opening I don't see anything about any additional privilege escalation or anything like that. If you're not running with people as admin, any idea how it got so bad for you? Is there something I'm missing? Or are you as much in the dark as anyone? :) I do read that Conficker is smart enough to try putting itself in the user's %TEMP% directory, so an infection of an underprivileged user's profile sounds possible. It sets up network scanners and listeners, and those wouldn't necessarily need system privileges. So an unprivileged user who managed to run the executable from a USB drive could well cause problems for others. But it shouldn't be able to kill off anti-virus or modify the system. So updated anti-virus signatures should be able to find and kill it. Failing that, manual removal using a clean admin account. Without system privileges, it shouldn't be able to cloak itself or install a rootkit or anything like that. We've had AUTORUN.INF blocked via the INI registry redirection trick for years now, and the patch for MS08-067 is deployed. We also don't run *anyone* as an admin for their regular accounts. I've been assuming this makes us fairly safe from Conficker. Your report has me concerned. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
