Downadup aka Conficker worm is at the moment a hot topic in computer security. This parasite has infected systems all over the world using a variety of methods to spread itself. One of these is a remote procedure call (RPC) exploit against the MS08-067 vulnerability. Using the vulnerability, the worm injects shellcode that connects back to the infecting machine. This is known as a back-connect. The back-connect works via HTTP on a randomly selected port and the infecting machine responds to incoming requests by providing the entire worm file. The shellcode receives this file and executes it on the remote host, causing it to then become infected.
Nowadays, many users have routers and other gateway devices that by default prevent external computers from connecting their home systems in addition to using network address translation (NAT). Normally that makes back-connect establishing fail and that way protect against Downadup infection.
However, this worm is a sneaky one and tries to bypass the issue by taking advantage of Universal Plug and Play (UPnP) protocol. Eric Chien describes in Symantec Security Response Blog entry how that is done.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment