On Fri, Mar 20, 2009 at 4:54 PM, Ziots, Edward <[email protected]> wrote: > Just as a followup the following KB article fixed that issue, what I am > still concerned about even though these systems where patched about 2-3 > months ago with MS08-067 they still got somewhat infected...
As mentioned, Conficker has multiple methods of propagation. The MS08-067 Server RPC vulnerability is only half the problem. The other common vector is removable media, such as USB flash drives. Combined with Autorun, all you have to do is insert the media, and Windows will automatically run Conficker for you. Even with Autorun completely disabled, the user can still find the Trojan horse executable on the media and double-click to run it manually. If you're running with unprivileged users, it can still set itself up in the user's profile. It shouldn't (*shouldn't*) be able to disable anti-virus or compromise the local system, but it can run within the privilages of the user. It can scan for hosts still vulnerable to MS08-067. It can scan for network shares, and try to copy itself to them. It can try to brute force passwords to propagate to more hosts. That last is presumably what leads to the account lockouts others have described. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
